Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Jan 2012 17:16:43 +0100
From:      Rainer Duffner <rainer@ultra-secure.de>
To:        Wolfgang Zenker <wolfgang@lyxys.ka.sub.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: FTPS Server?
Message-ID:  <8B259221-6A70-4D3C-ABA7-D74B2C9F9F14@ultra-secure.de>
In-Reply-To: <20120105153724.GA91242@lyxys.ka.sub.org>
References:  <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker:

> Hi everyone,
>=20
> * Matthew Seaman <m.seaman@infracaninophile.co.uk> [120105 14:38]:
>> On 05/01/2012 12:47, Karl Denninger wrote:
>>> Not SFTP (which is supported by the sshd) but FTPS.... is it =
supported
>>> by FreeBSD?
>=20
>> No, not supported in the base system.
>=20
>>> [..]
>> However, personally, I'd avoid FTPS.  It suffers from most of the =
design
>> flaws of standard FTP[*], particularly as regards passing through
>> firewalls.  Worse, because the traffic is encrypted, you can't even =
use
>> tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient
>> port numbers by deep packet inspection.  As far as your users are
>> concerned, just use SFTP.  It behaves exactly like an ordinary FTP
>> client, but the underlying SSH protocol over the network is way, way
>> better designed.
>=20
> Well, the problem I have here is at the server side: ftp users can be
> locked in a particular subtree of the file system by simply assigning
> them a chrooted login class. No need to setup any infrastructure in
> that subtree itself. Did not find out how to do this with sftp (we =
only
> allow publickey authentication with ssh at our servers)
>=20
> Wolfgang


It is possible.

See the chroot configuration in the man-page for sshd_config

If you have a sufficiently complete chroot-environment, you can even do =
chroot'ed ssh login sessions.



Rainer




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8B259221-6A70-4D3C-ABA7-D74B2C9F9F14>