On Mon, Jan 06, 2014 at 03:47:59PM -0600, Bob Goldberg wrote: > On Sat, Jan 4, 2014 at 7:26 AM, Sven Hoexter <s...@timegate.de> wrote: > > > I'm not sure how the OpenSSH implementation handles ACLs, maybe that's > > an option but I did not test it. > > > my first problem is successfully logging in with sftp-only and chroot'ing > in place. AFAIK - ACL's would only come into play afterward.
Yes, but that should work. I read your mail as it does not work if you enhance to the $HOME to group writeable or something like that. I did not verify that case at all. So I would start with setting it up user access only and try to add ACLs to make it group writeable or whatever is required later on. > proftpd: > 1) wheezy does not have an sftp module No, $ cat /etc/debian_version 7.3 $ dpkg -L proftpd-basic|grep sftp /usr/lib/proftpd/mod_sftp.so /usr/lib/proftpd/mod_sftp_sql.so /usr/lib/proftpd/mod_sftp_pam.so > 2) proftpd appears to rely on openssh for sftp, so appears to add no value. No, it's a standalone implementation. > 3) IF proftpd did provide working sftp - appears that it can not share port > 22 w/ openssh (which i do still need for full-access users unrelated to > SFTP). True, you can of course do nasty quirks with iptables to NAT to different ports depending on the source IP. But that is really nasty. > scponly: does not appear to be provided in wheezy !?!? can't find out > why.... [Date: Mon, 23 Jan 2012 22:09:19 +0000] [ftpmaster: Luca Falavigna] Removed the following packages from unstable: scponly | 4.8-4.1 | source, amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc scponly-full | 4.8-4.1 | amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc Closed bugs: 650590 ------------------- Reason ------------------- RoQA; RC buggy, unmaintained, replacement exists ---------------------------------------------- from https://ftp-master.debian.org/removals-2012.txt Though nothing prohibits you from building a package based on the last version found on snapshot.debian.org or just use the source Luke. ;) > rssh/rush: > 1) not sure what is: diff rssh rush (searches come up worthless to answer > this) Different implementation/software for a similar/same task. > 3) "mixed security record" is a big concern. Well I can mostly speak for the scponly case: Parsing commandline arguments in a safe way for different tools like svn, rsync etc. is hard. If you disable most of that and only stick to the sftp support it's quite solid. Still if I've a chance I would try to rely on the sftp-internal and chroot() functionallity of OpenSSH. Sven -- we live we love we learn and breathe each breath we take makes me believe that we can take this road forever if we take this road together [ AZ0 - Endless Roads ] -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107094032.ga3...@timegate.de