FTP Server for individual client spaces
steve at ibctech.ca
Fri Jul 10 14:30:13 UTC 2009
RS Wood wrote:
> I run a small engineering company* that exchanges large files (CAD,
> etc.) with clients, and I want to keep the docs off my email server by
> setting up a stand alone FTP server where each client can upload and
> download its relevant files. As such, my own users/employees should be
> able to reach every clientâ€™s FTP space but each client should only be
> able to reach his own. As my users finish a doc, they place it in that
> clientâ€™s FTP directory and the client can log in and get it. As such,
> I donâ€™t want any form of unauthenticated FTP.
> Iâ€™ve tried different combinations of group names and directory
> permissions without success, but chrooting users doesnâ€™t seem to solve
> my problem either, and my two favorite BSD books â€“ Tiemann et. al.
> (Unleashed) and Lucas (Absolute) take the same approach the man pages
> do, in my opinion, which guides you either into an all anonymous system,
> or a system suitable for organizations such as software distributors in
> which clients/users authenticate but then all access the same directory
> (/pub for example). I could use some help conceptualizing this.
> Is the solution ftpchroot?
It works for us, for the users who still need FTP access:
# cp /sbin/nologin /sbin/ftp-only
# echo "/sbin/ftp-only" >> /etc/shells
homedir == /ftp/username
shell == /sbin/ftp-only
# cd /ftp/username
# rm -r .*
# echo "username" >> /etc/ftpchroot
Now, you can create staff accounts in the same way, but set their home
directory as /ftp. They'll be able to traverse the entire FTP tree from
there. Just ensure that the /ftp directory structure is owned by a group
that your staff accounts are in, and that all of the sub directories are
modded with appropriate permissions.
> If so, itâ€™s not clear how I can chroot
> each potential client into his own directory, as my understanding is
> that all chrooted users wind up at the same place (like /var/ftp/pub).
> Or is the solution that each client gets access to his own home
Yes, each to their own home dir.
> if so, how do I ensure my staff has access to each clientâ€™s
> home directory?
I'm assuming that your staff will be using FTP as well. Simply assign
their home directory to the root FTP directory.
> Lastly, Iâ€™ve also been reading up on PureFTP, which
> seems to have some advanced configuration potential (including LDAP
> authentication, something else that interests me) but itâ€™s not clear
> that using an alternative product is indicated here.
> This seems like something other organizations must have dealt with, so I
> must be missing something fundamental. Can someone point me in the
> right direction?
> Finally, Iâ€™m aware FTP has inherent security liabilities as passwords
> cross the net in clear text, but Iâ€™m not convinced casual users on
> Windows boxes will be able to manage fun stuff like SSH connections or
> alternative software, like SCP.
Provide them a link to a client software that uses SFTP. I use WinSCP
(portable), which defaults to SFTP, and provides the server, username
and password fields as soon as it is launched.
Hope I didn't miss anything ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090710/8403b1df/smime.bin
More information about the freebsd-questions