From owner-freebsd-stable@FreeBSD.ORG Sun Jan 8 19:13:49 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFEEC1065670 for ; Sun, 8 Jan 2012 19:13:49 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122]) by mx1.freebsd.org (Postfix) with ESMTP id 1E4A38FC0A for ; Sun, 8 Jan 2012 19:13:48 +0000 (UTC) Received: (qmail 50067 invoked by uid 89); 8 Jan 2012 19:13:47 -0000 Received: by simscan 1.4.0 ppid: 50062, pid: 50064, t: 0.0721s scanners: attach: 1.4.0 clamav: 0.97.1/m:54/d:14273 Received: from unknown (HELO ?192.168.1.201?) (rainer@ultra-secure.de@217.71.83.52) by mail.ultra-secure.de with ESMTPA; 8 Jan 2012 19:13:47 -0000 Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Rainer Duffner In-Reply-To: <20120105192634.GA69685@icarus.home.lan> Date: Sun, 8 Jan 2012 20:13:46 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <28CC275C-F2BD-44BB-B75D-857A004E8C65@ultra-secure.de> References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org> <8B259221-6A70-4D3C-ABA7-D74B2C9F9F14@ultra-secure.de> <20120105192634.GA69685@icarus.home.lan> To: Jeremy Chadwick X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jan 2012 19:13:49 -0000 Am 05.01.2012 um 20:26 schrieb Jeremy Chadwick: > On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote: >>=20 >> Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: >>=20 >>> Hi everyone, >>>=20 >>> * Matthew Seaman [120105 14:38]: >>>> On 05/01/2012 12:47, Karl Denninger wrote: >>>>> Not SFTP (which is supported by the sshd) but FTPS.... is it = supported >>>>> by FreeBSD? >>>=20 >>>> No, not supported in the base system. >>>=20 >>>>> [..] >>>> However, personally, I'd avoid FTPS. It suffers from most of the = design >>>> flaws of standard FTP[*], particularly as regards passing through >>>> firewalls. Worse, because the traffic is encrypted, you can't even = use >>>> tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract = transient >>>> port numbers by deep packet inspection. As far as your users are >>>> concerned, just use SFTP. It behaves exactly like an ordinary FTP >>>> client, but the underlying SSH protocol over the network is way, = way >>>> better designed. >>>=20 >>> Well, the problem I have here is at the server side: ftp users can = be >>> locked in a particular subtree of the file system by simply = assigning >>> them a chrooted login class. No need to setup any infrastructure in >>> that subtree itself. Did not find out how to do this with sftp (we = only >>> allow publickey authentication with ssh at our servers) >>>=20 >>> Wolfgang >>=20 >>=20 >> It is possible. >>=20 >> See the chroot configuration in the man-page for sshd_config >>=20 >> If you have a sufficiently complete chroot-environment, you can even = do chroot'ed ssh login sessions. >=20 > It is possible, but some of the limitations of it are infuriating and > unrealistic for certain environments. I just went through working = with > a friend of mine (on a Linux system) setting this up so that one of = his > clients had SFTP access chroot'd but *without* all the "copy /dev and > random libraries and other crap" nonsense that is often required. We use NULLFS mounts for that. In most cases, we need that for php-fpm chroot anyway... > It > worked, but the one limitation that we kept having to "find = workarounds > for" was this: >=20 > All components of the pathname must be root-owned directories that > are not writable by any other user or group. >=20 Yep. If you need sub-dir access a la "I have this 3rd-party user who supplies = data to us in this subdirectory", you either have to setup a specific = upload-area where you copy stuff in or out or just let SFTP out of the = equation right away. > Oh, and if your system doesn't have remote serial console or way to = get > in if sshd doesn't like some of your sshd_config adjustments, I > recommend running a separate instance on a separate port (if firewalls > are involved deal with that too) so you have a way to get in, in the > case standard port 22 stops working. (This did happen during the > aforementioned story, and my friend was quite happy that I had told = him > to set that up prior. ;-) ) Running FreeBSD in a vmware did help to setup this, admittedly ;-) Rainer