sftp and ftp servers access only

[login at istop.com]

Hello all,

Here is our environment:

1. FreeBSD 5.1-RELEASE
1. proftpd running and a user account called 'sandy' is chrooted and working fine.
2. sshd version OpenSSH_3.6.1p1 FreeBSD-20030423 with DenyUsers for user account
   'sandy'. Tested, sandy can not ssh to the system. This is also desired.

# grep DenyUsers /etc/ssh/sshd_config

DenyUsers sandy

The setup we want is to have the followings:

A. User can ftp.
B. User can sftp but on ssh.
C. User can only sftpd to the same chroot'ed directory which is also used
   for ftp.
   
Here A is fine. B is not as DenyUsers does not let 'sandy' to user
sftp-server defined in /etc/ssh/sshd_config as follows:

Subsystem       sftp    /usr/libexec/sftp-server

If I remove the user 'sandy' against the DenyUsers, it does let him to
use both ssh and sftp sessions. This is working as designed.

To make things more complicated, I cp the /sbin/nologin to
/sbin/ftponly and placed in /etc/shells and removed against DenyUsers
for 'sandy'. He initialize a ssh session and ends up in getting
"This account is currently not available." which is good and also verified in the
/var/log/auth.log file as:

Dec 10 04:41:11 ftp sshd[783]: Accepted password for sandy from x.x.x.x port 1287 ssh2
Dec 10 04:41:11 ftp sshd[785]: session_input_channel_req: no session 0 req window-change

and when starting a sftp session, no success either and /var/log/auth.log indicates:

Dec 10 04:44:07 ftp sshd[789]: Accepted password for sandy from x.x.x.x port 1296 ssh2
Dec 10 04:44:07 ftp sshd[791]: subsystem request for sftp

Moral of the story: Is it possible with the above environment that a system can act as
an ftp and sftp servers only at the same time. If possibly it does, how some one chroot the
environment like in proftpd for the DefaultRoot set to same in sftp session.

Thank you for reading my first letter to this list!

|   |
|   |
|===|
|___|
 ).(
 \|/   S. Mohammad        [login at istop.com]
  '--- Who taught by the pen [96.04 Qur'an]