Date: Wed, 16 Sep 2020 20:30:16 +0200 From: Michael Gmelin <freebsd@grem.de> To: sthaug@nethelp.no Cc: emaste@freebsd.org, freebsd-current@freebsd.org Subject: Re: Deprecating ftpd in the FreeBSD base system? Message-ID: <5813CAD8-A5A6-4116-968D-D49B0D775ADA@grem.de> In-Reply-To: <20200916.200732.288885950.sthaug@nethelp.no> References: <20200916.200732.288885950.sthaug@nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 16. Sep 2020, at 20:08, sthaug@nethelp.no wrote: >=20 > =EF=BB=BF >>=20 >> FTP is (becoming?) a legacy protocol, and I think it may be time to >> remove the ftp server from the FreeBSD base system - with the recent >> security advisory for ftpd serving as a reminder. >>=20 >> I've proposed adding a deprecation notice to the man page in >> https://reviews.freebsd.org/D26447 to start this off. There are a >> number of ftp servers in ports, and if we're going to remove the base >> system one we can create a port for it first, as well. >>=20 >> Any comments or concerns, please follow up in the code review or in email= here. >=20 > Could we, at the same time, improve the documentation for sftp? I had > to move an FTP server (with one chrooted user) from FTP to sftp today. > I did: >=20 > 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. > 2. Patch sshd config as follows: >=20 > --- etc/ssh/sshd_config.orig 2018-06-16 22:04:20.868762000 +0200 > +++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200 > @@ -112,7 +112,7 @@ > #Banner none >=20 > # override default of no subsystems > -Subsystem sftp /usr/libexec/sftp-server > +Subsystem sftp internal-sftp -l INFO >=20 > # Example of overriding settings on a per-user basis > #Match User anoncvs > @@ -120,3 +120,8 @@ > # AllowTcpForwarding no > # PermitTTY no > # ForceCommand cvs server > +Match User sftp > +ChrootDirectory /usr/local/ftp/sftp > +ForceCommand internal-sftp -l INFO > +X11Forwarding no > +AllowTcpForwarding no >=20 > 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. > 4. Create /usr/local/ftp/sftp/dev and add the following line to > /etc/rc.conf: >=20 > syslogd_flags=3D"-s -l /usr/local/ftp/sftp/dev/log" >=20 > Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error > message: "Received message too long 1416128883". Googling that one > eventually led me to the internal-sftp subsystem and the rest of the > sshd_config changes. The sshd_config man page is good, but I couldn't > find anything about arguments (e.g. -l) for internal-sftp. In case it helps, I documented an example sftp setup as part of the paperles= s port's man page last year: https://svnweb.freebsd.org/ports/head/deskutils/py-paperless/files/paperless= .7.in?revision=3D521891&view=3Dco -m >=20 > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5813CAD8-A5A6-4116-968D-D49B0D775ADA>