Date: 23 Apr 2002 18:58:18 -0600 From: John-David Childs <jdc@nterprise.net> To: Scott Pilz <tech@tznet.com> Cc: freebsd-questions@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Secure Shell/FTP Questions Message-ID: <1019609899.26506.124.camel@lohr.digitalglobe.com> In-Reply-To: <20020417192702.P43790-100000@mail.tznet.com> References: <20020417192702.P43790-100000@mail.tznet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2002-04-17 at 18:32, Scott Pilz wrote: > > I have two questions that no one seems to be able to answer for me > - nor can I find any straight forward answers over the internet. This is > my last hope . . . > > #1: sshd is enabled, and works - however, to my understanding you > cannot have secure ftp connections chrooted directly to the users home > directory like you can on normal FTP by putting the username in > /etc/ftpchroot. Correct. > Can this be done? Yes. The easiest way to do it is to install the SSH Software from the official SSH Communications Security Corp (SSH.COM, not OpenSSH.COM) package (/usr/ports/security/ssh2 in a recent ports build). This will install a program called ssh-dummy-shell, which should be the shell for all users on your system. You must be able to quality for the non-commercial version license. From the license: To qualify for a Non-Commercial Version License, You must: (1) use the Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD operating system (whether for commercial or non-commercial use), or (2) use the Software for non-commercial purposes as defined herein and be a Non-Commercial Entity as defined herein, or (3) be an University User as defined herein, or (4) be an Excluded Contractor as defined herein. Here's a link to a FAQ on the subject of CHROOTing sftp on Linux... http://www.ssh.com/faq/index.cfm?id=687 In essence, you must build a static SSHd, put your sftp-users (or all users) in the same group, and add that group to the sshd2_config file (ChRootGroup <groupname>) ============================ If you want to do this with OpenSSH, then you probably need to build your own ssh-dummy-shell (or something equivalent). All it really needs to do is call chroot and exec sftp-server (so sftp-server has to be available in the chrooted environment, and has to be a statically-linked binary). A google search will come up with at least one example of this (I was researching this very issue a few weeks ago). Is there another freeware program for > BSD that supports SSH/FTP that can do this? > > Lastly, what are most ISP's doing as far as secure shells and what > not? Is this the popular way of doing it, or is there a better way out > there? > Currently, shells on the systems I admin are set to either /bin/false or /usr/bin/passwd. I'm looking at doing sftp-dummy-shell myself though on a new machine used for S/FTP. > thanks in advance, > > Scott > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1019609899.26506.124.camel>