Deprecating ftpd in the FreeBSD base system?
sthaug at nethelp.no
sthaug at nethelp.no
Wed Sep 16 18:07:43 UTC 2020
> FTP is (becoming?) a legacy protocol, and I think it may be time to
> remove the ftp server from the FreeBSD base system - with the recent
> security advisory for ftpd serving as a reminder.
>
> I've proposed adding a deprecation notice to the man page in
> https://reviews.freebsd.org/D26447 to start this off. There are a
> number of ftp servers in ports, and if we're going to remove the base
> system one we can create a port for it first, as well.
>
> Any comments or concerns, please follow up in the code review or in email here.
Could we, at the same time, improve the documentation for sftp? I had
to move an FTP server (with one chrooted user) from FTP to sftp today.
I did:
1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell.
2. Patch sshd config as follows:
--- etc/ssh/sshd_config.orig 2018-06-16 22:04:20.868762000 +0200
+++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200
@@ -112,7 +112,7 @@
#Banner none
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp internal-sftp -l INFO
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -120,3 +120,8 @@
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+Match User sftp
+ChrootDirectory /usr/local/ftp/sftp
+ForceCommand internal-sftp -l INFO
+X11Forwarding no
+AllowTcpForwarding no
3. Ensure all levels of /usr/local/ftp/sftp are owned by root.
4. Create /usr/local/ftp/sftp/dev and add the following line to
/etc/rc.conf:
syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log"
Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error
message: "Received message too long 1416128883". Googling that one
eventually led me to the internal-sftp subsystem and the rest of the
sshd_config changes. The sshd_config man page is good, but I couldn't
find anything about arguments (e.g. -l) for internal-sftp.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the freebsd-current
mailing list