sftp and ftp servers access only

Wed Dec 10 05:11:22 PST 2003

Lines prefixed with ">" are what login at istop.com wrote.

>Hello all,
>
>Here is our environment:
>
>1. FreeBSD 5.1-RELEASE
>1. proftpd running and a user account called 'sandy' is chrooted and working
> fine. 2. sshd version OpenSSH_3.6.1p1 FreeBSD-20030423 with DenyUsers for
> user account 'sandy'. Tested, sandy can not ssh to the system. This is also
> desired.
>
># grep DenyUsers /etc/ssh/sshd_config
>
>DenyUsers sandy
>
>The setup we want is to have the followings:
>
>A. User can ftp.
>B. User can sftp but on ssh.
>C. User can only sftpd to the same chroot'ed directory which is also used
>   for ftp.
>
>Here A is fine. B is not as DenyUsers does not let 'sandy' to user
>sftp-server defined in /etc/ssh/sshd_config as follows:
>
>Subsystem       sftp    /usr/libexec/sftp-server
>
>If I remove the user 'sandy' against the DenyUsers, it does let him to
>use both ssh and sftp sessions. This is working as designed.
>
>To make things more complicated, I cp the /sbin/nologin to
>/sbin/ftponly and placed in /etc/shells and removed against DenyUsers
>for 'sandy'. He initialize a ssh session and ends up in getting
>"This account is currently not available." which is good and also verified
> in the /var/log/auth.log file as:
>
>Dec 10 04:41:11 ftp sshd[783]: Accepted password for sandy from x.x.x.x port
> 1287 ssh2 Dec 10 04:41:11 ftp sshd[785]: session_input_channel_req: no
> session 0 req window-change
>
>and when starting a sftp session, no success either and /var/log/auth.log
> indicates:
>
>Dec 10 04:44:07 ftp sshd[789]: Accepted password for sandy from x.x.x.x port
> 1296 ssh2 Dec 10 04:44:07 ftp sshd[791]: subsystem request for sftp
>
>Moral of the story: Is it possible with the above environment that a system
> can act as an ftp and sftp servers only at the same time. If possibly it
> does, how some one chroot the environment like in proftpd for the
> DefaultRoot set to same in sftp session.

Check out /usr/ports/shells/scponly. Make sure to compile it with chroot 
support, if that's what you want.

>Thank you for reading my first letter to this list!
>
>|===|
>|___|
>
> ).(
> \|/   S. Mohammad        [login at istop.com]
>  '--- Who taught by the pen [96.04 Qur'an]
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 

"There are people who cheat on their spouse but not at cards, and vice versa, 
and both and neither. Reputation is not necessarily portable from one 
situation to another, and it's not easily expressed."
--Clay Shirkey. (http://www.shirky.com/writings/group_enemy.html)

"It has been said that man is a rational animal.  All my life I have
been searching for evidence which could support this."
--Bertrand Russell.

"The American empire is ideological, not territorial. We are the most 
ideological people in the world, and we are so united in our view that we 
don't understand there can be other views."
--Lt. Gen. William Odom, ret. (Former Director of NSA).