Date: Thu, 5 Jan 2012 19:28:20 +0000 From: Malcolm Waltz <mwaltz@PACIFIC.EDU> To: 'Karl Denninger' <karl@denninger.net> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: RE: FTPS Server? Message-ID: <3FC253955232794A901643A205013D3617B6F15C@exmb2.stk.pacific.edu> In-Reply-To: <4F05AF28.5010900@denninger.net> References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <4F05AF28.5010900@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Karl, I recently built a server (FreeBSD 8.2 with ZFS and Jails) that runs both S= FTP (OpenSSH) and FTPS (data and control channels explicitly encrypted, a.k= .a. FTPES). Not that you will need it, but for SFTP, ezjail + sshd_enable + scponly wor= ks well. In my opinion, using Jails is more elegant than doing a chroot co= nfig with scponly and sshd. I thought otherwise until I started to actuall= y to implement it. For an FTPS server I would strongly recommend vsftpd. lftp is a good clien= t to test with. I've included a working vsftpd.conf below for FTPES. For what you are doin= g, you may not need all of these parameters. The pasv_ parameters are most= ly only necessary if you need to serve data through a NAT/firewall. The pa= sv_min_port and pasv_max_port will effect how many simultaneous connections= can be supported by the server. You may have to try various permutations = depending on how EyeFi has implemented their client. If you Google vsftpd.= conf, you will probably find various sets of instructions for how to set it= up for your needs. It helps if you know exactly what the client is expect= ing. There are a number of variations on the standard. vsftpd can handle = all of them I believe. Also tools like tcpdump, wireshark, netstat and lso= f are your friends here. ################################################################ anonymous_enable=3DNO local_enable=3DYES write_enable=3DYES local_umask=3D077 dirmessage_enable=3DNO xferlog_enable=3DYES nopriv_user=3Dftpsecure chroot_local_user=3DYES secure_chroot_dir=3D/usr/local/share/vsftpd/empty listen=3DYES background=3DYES syslog_enable=3DYES ssl_enable=3DYES debug_ssl=3DYES rsa_private_key_file=3D<path-to-private-key> rsa_cert_file=3D<path-to-valid-SSL-cert> ca_certs_file=3D<path-to-CA-intermediate-cert> ssl_sslv2=3DNO ssl_sslv3=3DNO ssl_tlsv1=3DYES force_local_logins_ssl=3DYES force_local_data_ssl=3DYES strict_ssl_read_eof=3DNO require_ssl_reuse=3DNO pasv_enable=3DYES pasv_address=3D<external-NAT-address> pasv_min_port=3D<fixed-TCP-port-range-min> pasv_max_port=3D<fixed-TCP-port-range-max> passwd_chroot_enable=3DYES listen_address=3D<internal-IP-address> userlist_enable=3DYES userlist_deny=3DNO userlist_file=3D/usr/local/etc/vsftpd.user_list check_shell=3DNO ################################################################ Good luck, Malcolm Waltz Unix Systems Administrator III Office of Information Technology University of the Pacific -----Original Message----- From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-stable@freebsd= .org] On Behalf Of Karl Denninger Sent: Thursday, January 05, 2012 6:10 AM To: Matthew Seaman Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? On 1/5/2012 7:38 AM, Matthew Seaman wrote: > On 05/01/2012 12:47, Karl Denninger wrote: >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported >> by FreeBSD? > No, not supported in the base system. > >> This question may belong on the ports list, but a quick perusal there >> didn't find anything particularly interesting (one possible candidate is >> marked broken) > Several of the ftp daemons in the ports should be capable of running > FTPS. 10 seconds with Google turns up HOWTOs for setting up either > vsftpd or proftpd to provide FTPS support. > > However, personally, I'd avoid FTPS. It suffers from most of the design > flaws of standard FTP[*], particularly as regards passing through > firewalls. Worse, because the traffic is encrypted, you can't even use > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient > port numbers by deep packet inspection. As far as your users are > concerned, just use SFTP. It behaves exactly like an ordinary FTP > client, but the underlying SSH protocol over the network is way, way > better designed. > > Cheers, > > Matthew > > [*] Miserable, archaic and long overdue to be put out of our misery. Yes, I understand all the arguments against, but I have an EyeFi card here (SD card with a built in Wifi transmitter for use in cameras) that does not know how to deal with SFTP. So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) The ability to immediately get images shot in the field out of the camera and onto stable storage via a Wifi hotspot running on the phone in my pocket looks really good, but I'll be damned if I'm going to base that on a Windows machine. I understand that ftps bites but.... -- Karl _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FC253955232794A901643A205013D3617B6F15C>