From owner-freebsd-questions@FreeBSD.ORG Wed Nov 8 12:39:58 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C77EF16A5D4 for ; Wed, 8 Nov 2006 12:39:58 +0000 (UTC) (envelope-from aggelis@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50F5D43D49 for ; Wed, 8 Nov 2006 12:39:57 +0000 (GMT) (envelope-from aggelis@gmail.com) Received: by py-out-1112.google.com with SMTP id z59so1397708pyg for ; Wed, 08 Nov 2006 04:39:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nNLKyvFd96JCl4RHIzCRfOTrvgWClKtz5khTXM/yMfbKPN4UoJyL5TcKTnVvJMgGLx8ZVmMaUVMEgy3tHXweCsmFQPoNbpimSL2CTkyUqC3jQuM2lCfPD8ZBCboM+TNjf14ADaPq3KwvibYGus+kLzZSjYxdmL/mp5lzl7cjKRo= Received: by 10.35.77.1 with SMTP id e1mr15367767pyl.1162989597376; Wed, 08 Nov 2006 04:39:57 -0800 (PST) Received: by 10.35.16.3 with HTTP; Wed, 8 Nov 2006 04:39:57 -0800 (PST) Message-ID: Date: Wed, 8 Nov 2006 14:39:57 +0200 From: "Aggelis Aggelis" To: "Gorobets Igor" In-Reply-To: <20061108094550.GA26361@mail.it-geeks.kiev.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061108094550.GA26361@mail.it-geeks.kiev.ua> Cc: freebsd-questions@freebsd.org Subject: Re: ftp over ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 12:39:58 -0000 On 11/8/06, Gorobets Igor wrote: > Hello. How correctly to adjust this miracle? :-) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > from http://forums.serverbeach.com/archive/index.php/t-2179.html "FTP is insecure. Passwords are sent in plaintext for anyone to snoop. SFTP is secure, but to use SFTP you generally have to give a user SSH access. Which is not always desirable. So, to give a user SFTP access without SSH access, set their shell to /usr/libexec/openssh/sftp-server instead of /bin/sh or /bin/bash. If your sftp-server is not there, use locate sftp-server to find it." in freebsd sftp-server is located in the /usr/libexec directory. another solution is to use rssh (meaning restricted ssh) from rssh faq "Q: Why did you write this software? A: Mainly, because the question of how to restrict access to scp or sftp only kept coming up on a few different mailing lists I was on at the time... Several people made some suggestions (like using a shell script as the user's shell) which sort of work, but aren't terribly secure or reliable. The commercial SSH product has a program to do this, but OpenSSH does not. Joe Boyle has a similar program called scponly, which at the time I looked at it had some security problems, though they have since been fixed... It does currently have some functionality that rssh does not (namely it works with WinSCP; see below), and some that it never will have (more on that in a moment). Obviously I prefer the way I've implemented my program, or else I wouldn't have written it. =8^) I did not write this program for my own use; I do not use it today, nor have I ever (though obviously I would if the occasion arose). At the time, I was bored, and I thought this project would be amusing and educational, as well as fill a gap. Please keep this in mind when asking for support. Odds are I'll give it pretty quickly if I've got a free minute, but what you get is what you get, and I won't loose sleep over slow response time. You've been warned. " personaly i prefer the first solution from a security viewpoint because sftp-server is writen by the openssh team. Any Comments on the above solutions are welcomed.