From owner-freebsd-stable@FreeBSD.ORG Thu Jan 5 16:30:02 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A82E7106566B for ; Thu, 5 Jan 2012 16:30:02 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122]) by mx1.freebsd.org (Postfix) with ESMTP id E51278FC16 for ; Thu, 5 Jan 2012 16:30:01 +0000 (UTC) Received: (qmail 42783 invoked by uid 89); 5 Jan 2012 16:16:44 -0000 Received: by simscan 1.4.0 ppid: 42778, pid: 42780, t: 0.0620s scanners: attach: 1.4.0 clamav: 0.97.1/m:54/d:14255 Received: from unknown (HELO ?192.168.1.201?) (rainer@ultra-secure.de@217.71.83.52) by mail.ultra-secure.de with ESMTPA; 5 Jan 2012 16:16:44 -0000 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Rainer Duffner In-Reply-To: <20120105153724.GA91242@lyxys.ka.sub.org> Date: Thu, 5 Jan 2012 17:16:43 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <8B259221-6A70-4D3C-ABA7-D74B2C9F9F14@ultra-secure.de> References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org> To: Wolfgang Zenker X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 16:30:02 -0000 Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: > Hi everyone, >=20 > * Matthew Seaman [120105 14:38]: >> On 05/01/2012 12:47, Karl Denninger wrote: >>> Not SFTP (which is supported by the sshd) but FTPS.... is it = supported >>> by FreeBSD? >=20 >> No, not supported in the base system. >=20 >>> [..] >> However, personally, I'd avoid FTPS. It suffers from most of the = design >> flaws of standard FTP[*], particularly as regards passing through >> firewalls. Worse, because the traffic is encrypted, you can't even = use >> tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient >> port numbers by deep packet inspection. As far as your users are >> concerned, just use SFTP. It behaves exactly like an ordinary FTP >> client, but the underlying SSH protocol over the network is way, way >> better designed. >=20 > Well, the problem I have here is at the server side: ftp users can be > locked in a particular subtree of the file system by simply assigning > them a chrooted login class. No need to setup any infrastructure in > that subtree itself. Did not find out how to do this with sftp (we = only > allow publickey authentication with ssh at our servers) >=20 > Wolfgang It is possible. See the chroot configuration in the man-page for sshd_config If you have a sufficiently complete chroot-environment, you can even do = chroot'ed ssh login sessions. Rainer