From owner-freebsd-current@freebsd.org  Wed Sep 16 18:30:33 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 64EB73ED9AA
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Wed, 16 Sep 2020 18:30:33 +0000 (UTC) (envelope-from freebsd@grem.de)
Received: from mail.evolve.de (mail.evolve.de [213.239.217.29])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (Client CN "mail.evolve.de", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bs7vD1DVvz45SJ;
 Wed, 16 Sep 2020 18:30:31 +0000 (UTC) (envelope-from freebsd@grem.de)
Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 7fc33969;
 Wed, 16 Sep 2020 18:30:21 +0000 (UTC)
Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 54f1f4f8
 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO); 
 Wed, 16 Sep 2020 18:30:18 +0000 (UTC)
Mime-Version: 1.0 (1.0)
Subject: Re: Deprecating ftpd in the FreeBSD base system?
From: Michael Gmelin <freebsd@grem.de>
In-Reply-To: <20200916.200732.288885950.sthaug@nethelp.no>
Date: Wed, 16 Sep 2020 20:30:16 +0200
Cc: emaste@freebsd.org, freebsd-current@freebsd.org
Message-Id: <5813CAD8-A5A6-4116-968D-D49B0D775ADA@grem.de>
References: <20200916.200732.288885950.sthaug@nethelp.no>
To: sthaug@nethelp.no
X-Mailer: iPhone Mail (17H35)
X-Rspamd-Queue-Id: 4Bs7vD1DVvz45SJ
X-Spamd-Bar: /
X-Spamd-Result: default: False [-0.31 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[grem.de:s=20180501];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[];
 R_SPF_ALLOW(-0.20)[+ip4:213.239.217.29/32];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[grem.de];
 NEURAL_SPAM_SHORT(0.69)[0.691]; NEURAL_HAM_LONG(-1.03)[-1.025];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[grem.de:+]; NEURAL_HAM_MEDIUM(-0.97)[-0.975];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 SUBJECT_ENDS_QUESTION(1.00)[];
 ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current]
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2020 18:30:33 -0000



> On 16. Sep 2020, at 20:08, sthaug@nethelp.no wrote:
>=20
> =EF=BB=BF
>>=20
>> FTP is (becoming?) a legacy protocol, and I think it may be time to
>> remove the ftp server from the FreeBSD base system - with the recent
>> security advisory for ftpd serving as a reminder.
>>=20
>> I've proposed adding a deprecation notice to the man page in
>> https://reviews.freebsd.org/D26447 to start this off. There are a
>> number of ftp servers in ports, and if we're going to remove the base
>> system one we can create a port for it first, as well.
>>=20
>> Any comments or concerns, please follow up in the code review or in email=
 here.
>=20
> Could we, at the same time, improve the documentation for sftp? I had
> to move an FTP server (with one chrooted user) from FTP to sftp today.
> I did:
>=20
> 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell.
> 2. Patch sshd config as follows:
>=20
> --- etc/ssh/sshd_config.orig    2018-06-16 22:04:20.868762000 +0200
> +++ etc/ssh/sshd_config    2020-09-16 10:10:53.133211000 +0200
> @@ -112,7 +112,7 @@
> #Banner none
>=20
> # override default of no subsystems
> -Subsystem    sftp    /usr/libexec/sftp-server
> +Subsystem    sftp    internal-sftp -l INFO
>=20
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> @@ -120,3 +120,8 @@
> #    AllowTcpForwarding no
> #    PermitTTY no
> #    ForceCommand cvs server
> +Match User sftp
> +ChrootDirectory    /usr/local/ftp/sftp
> +ForceCommand internal-sftp -l INFO
> +X11Forwarding no
> +AllowTcpForwarding no
>=20
> 3. Ensure all levels of /usr/local/ftp/sftp are owned by root.
> 4. Create /usr/local/ftp/sftp/dev and add the following line to
> /etc/rc.conf:
>=20
> syslogd_flags=3D"-s -l /usr/local/ftp/sftp/dev/log"
>=20
> Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error
> message: "Received message too long 1416128883". Googling that one
> eventually led me to the internal-sftp subsystem and the rest of the
> sshd_config changes. The sshd_config man page is good, but I couldn't
> find anything about arguments (e.g. -l) for internal-sftp.

In case it helps, I documented an example sftp setup as part of the paperles=
s port's man page last year:

https://svnweb.freebsd.org/ports/head/deskutils/py-paperless/files/paperless=
.7.in?revision=3D521891&view=3Dco

-m

>=20
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"=