Hi Karl, I recently built a server (FreeBSD 8.2 with ZFS and Jails) that runs both SFTP (OpenSSH) and FTPS (data and control channels explicitly encrypted, a.k.a. FTPES).
Not that you will need it, but for SFTP, ezjail + sshd_enable + scponly works well. In my opinion, using Jails is more elegant than doing a chroot config with scponly and sshd. I thought otherwise until I started to actually to implement it. For an FTPS server I would strongly recommend vsftpd. lftp is a good client to test with. I've included a working vsftpd.conf below for FTPES. For what you are doing, you may not need all of these parameters. The pasv_ parameters are mostly only necessary if you need to serve data through a NAT/firewall. The pasv_min_port and pasv_max_port will effect how many simultaneous connections can be supported by the server. You may have to try various permutations depending on how EyeFi has implemented their client. If you Google vsftpd.conf, you will probably find various sets of instructions for how to set it up for your needs. It helps if you know exactly what the client is expecting. There are a number of variations on the standard. vsftpd can handle all of them I believe. Also tools like tcpdump, wireshark, netstat and lsof are your friends here. ################################################################ anonymous_enable=NO local_enable=YES write_enable=YES local_umask=077 dirmessage_enable=NO xferlog_enable=YES nopriv_user=ftpsecure chroot_local_user=YES secure_chroot_dir=/usr/local/share/vsftpd/empty listen=YES background=YES syslog_enable=YES ssl_enable=YES debug_ssl=YES rsa_private_key_file=<path-to-private-key> rsa_cert_file=<path-to-valid-SSL-cert> ca_certs_file=<path-to-CA-intermediate-cert> ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES force_local_logins_ssl=YES force_local_data_ssl=YES strict_ssl_read_eof=NO require_ssl_reuse=NO pasv_enable=YES pasv_address=<external-NAT-address> pasv_min_port=<fixed-TCP-port-range-min> pasv_max_port=<fixed-TCP-port-range-max> passwd_chroot_enable=YES listen_address=<internal-IP-address> userlist_enable=YES userlist_deny=NO userlist_file=/usr/local/etc/vsftpd.user_list check_shell=NO ################################################################ Good luck, Malcolm Waltz Unix Systems Administrator III Office of Information Technology University of the Pacific -----Original Message----- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Karl Denninger Sent: Thursday, January 05, 2012 6:10 AM To: Matthew Seaman Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? On 1/5/2012 7:38 AM, Matthew Seaman wrote: > On 05/01/2012 12:47, Karl Denninger wrote: >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported >> by FreeBSD? > No, not supported in the base system. > >> This question may belong on the ports list, but a quick perusal there >> didn't find anything particularly interesting (one possible candidate is >> marked broken) > Several of the ftp daemons in the ports should be capable of running > FTPS. 10 seconds with Google turns up HOWTOs for setting up either > vsftpd or proftpd to provide FTPS support. > > However, personally, I'd avoid FTPS. It suffers from most of the design > flaws of standard FTP[*], particularly as regards passing through > firewalls. Worse, because the traffic is encrypted, you can't even use > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient > port numbers by deep packet inspection. As far as your users are > concerned, just use SFTP. It behaves exactly like an ordinary FTP > client, but the underlying SSH protocol over the network is way, way > better designed. > > Cheers, > > Matthew > > [*] Miserable, archaic and long overdue to be put out of our misery. Yes, I understand all the arguments against, but I have an EyeFi card here (SD card with a built in Wifi transmitter for use in cameras) that does not know how to deal with SFTP. So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) The ability to immediately get images shot in the field out of the camera and onto stable storage via a Wifi hotspot running on the phone in my pocket looks really good, but I'll be damned if I'm going to base that on a Windows machine. I understand that ftps bites but.... -- Karl _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
