Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Jan 2012 20:13:46 +0100
From:      Rainer Duffner <rainer@ultra-secure.de>
To:        Jeremy Chadwick <freebsd@jdc.parodius.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: FTPS Server?
Message-ID:  <28CC275C-F2BD-44BB-B75D-857A004E8C65@ultra-secure.de>
In-Reply-To: <20120105192634.GA69685@icarus.home.lan>
References:  <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org> <8B259221-6A70-4D3C-ABA7-D74B2C9F9F14@ultra-secure.de> <20120105192634.GA69685@icarus.home.lan>

next in thread | previous in thread | raw e-mail | index | archive | help

Am 05.01.2012 um 20:26 schrieb Jeremy Chadwick:

> On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote:
>>=20
>> Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker:
>>=20
>>> Hi everyone,
>>>=20
>>> * Matthew Seaman <m.seaman@infracaninophile.co.uk> [120105 14:38]:
>>>> On 05/01/2012 12:47, Karl Denninger wrote:
>>>>> Not SFTP (which is supported by the sshd) but FTPS.... is it =
supported
>>>>> by FreeBSD?
>>>=20
>>>> No, not supported in the base system.
>>>=20
>>>>> [..]
>>>> However, personally, I'd avoid FTPS.  It suffers from most of the =
design
>>>> flaws of standard FTP[*], particularly as regards passing through
>>>> firewalls.  Worse, because the traffic is encrypted, you can't even =
use
>>>> tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract =
transient
>>>> port numbers by deep packet inspection.  As far as your users are
>>>> concerned, just use SFTP.  It behaves exactly like an ordinary FTP
>>>> client, but the underlying SSH protocol over the network is way, =
way
>>>> better designed.
>>>=20
>>> Well, the problem I have here is at the server side: ftp users can =
be
>>> locked in a particular subtree of the file system by simply =
assigning
>>> them a chrooted login class. No need to setup any infrastructure in
>>> that subtree itself. Did not find out how to do this with sftp (we =
only
>>> allow publickey authentication with ssh at our servers)
>>>=20
>>> Wolfgang
>>=20
>>=20
>> It is possible.
>>=20
>> See the chroot configuration in the man-page for sshd_config
>>=20
>> If you have a sufficiently complete chroot-environment, you can even =
do chroot'ed ssh login sessions.
>=20
> It is possible, but some of the limitations of it are infuriating and
> unrealistic for certain environments.  I just went through working =
with
> a friend of mine (on a Linux system) setting this up so that one of =
his
> clients had SFTP access chroot'd but *without* all the "copy /dev and
> random libraries and other crap" nonsense that is often required.


We use NULLFS mounts for that.
In most cases, we need that for php-fpm chroot anyway...


>  It
> worked, but the one limitation that we kept having to "find =
workarounds
> for" was this:
>=20
>   All components of the pathname must be root-owned directories that
>   are not writable by any other user or group.
>=20


Yep.
If you need sub-dir access a la "I have this 3rd-party user who supplies =
data to us in this subdirectory", you either have to setup a specific =
upload-area where you copy stuff in or out or just let SFTP out of the =
equation right away.


> Oh, and if your system doesn't have remote serial console or way to =
get
> in if sshd doesn't like some of your sshd_config adjustments, I
> recommend running a separate instance on a separate port (if firewalls
> are involved deal with that too) so you have a way to get in, in the
> case standard port 22 stops working.  (This did happen during the
> aforementioned story, and my friend was quite happy that I had told =
him
> to set that up prior.  ;-) )



Running FreeBSD in a vmware did help to setup this, admittedly ;-)





Rainer





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?28CC275C-F2BD-44BB-B75D-857A004E8C65>