FTPS Server?

Hans Snehl lists at sylac.de
Sun Jan 8 21:27:15 UTC 2012


On Thu, Jan 05, 2012 at 04:37:24PM +0100, Wolfgang Zenker wrote:
> Hi everyone,
> 
> * Matthew Seaman <m.seaman at infracaninophile.co.uk> [120105 14:38]:
> > On 05/01/2012 12:47, Karl Denninger wrote:
> >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported
> >> by FreeBSD?
> 
> > No, not supported in the base system.
> 
> >> [..]
> > However, personally, I'd avoid FTPS.  It suffers from most of the design
> > flaws of standard FTP[*], particularly as regards passing through
> > firewalls.  Worse, because the traffic is encrypted, you can't even use
> > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient
> > port numbers by deep packet inspection.  As far as your users are
> > concerned, just use SFTP.  It behaves exactly like an ordinary FTP
> > client, but the underlying SSH protocol over the network is way, way
> > better designed.
> 
> Well, the problem I have here is at the server side: ftp users can be
> locked in a particular subtree of the file system by simply assigning
> them a chrooted login class. No need to setup any infrastructure in
> that subtree itself. Did not find out how to do this with sftp (we only
> allow publickey authentication with ssh at our servers)
> 
> Wolfgang

We do the following on a not too busy server with sftp  and only pubkey
authentication.
Also this might alleviate the possible headaches expected to arise with
readable and possibly writable  root owned directories. 

Given  sftp access is to be chrooted into user "someone" 's home
directory this is owned by root ( sftp wants that)
The actual chroot is  $HOME/depot  and  sshd is to proceed according to 

 Match User someone 
	 ChrootDirectory %h/depot
	 ForceCommand internal-sftp


Users are chrooted into $HOME/depot, so there is no access
to things like .ssh and else, and for  sftp users $HOME/depot
is readonly

ro@# ls -la
total 6
drwxr-xr-x  4 root     someone   4 Oct 14 15:23 .
drwxr-xr-x  4 root     wheel     4 May 20 09:37 ..
drwx------  2 someone  someone   3 Oct 14 14:18 .ssh
drwxr-xr--  3 root     someone   4 Oct 28 07:43 depot

Creating another directory e.g. 'upload' under depot with
owner 'someone' gives write access to sftp users in 'upload'.

ro# ls -la depot/
total 6
drwxr-xr--  3 root     someone   4 Oct 28 07:43 .
drwxr-xr-x  4 root     someone   4 Oct 14 15:23 ..
-rw-r--r--  1 root     someone  55 Oct 27 18:08 bt1hash
drwxr-xr-x  2 someone  someone   3 Oct 28 07:44 upload

       
Might fit your needs.

Hans


More information about the freebsd-stable mailing list