Re: FTPS Server?
Am 05.01.2012 um 20:26 schrieb Jeremy Chadwick: On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote: Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: Hi everyone, * Matthew Seaman m.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang It is possible. See the chroot configuration in the man-page for sshd_config If you have a sufficiently complete chroot-environment, you can even do chroot'ed ssh login sessions. It is possible, but some of the limitations of it are infuriating and unrealistic for certain environments. I just went through working with a friend of mine (on a Linux system) setting this up so that one of his clients had SFTP access chroot'd but *without* all the copy /dev and random libraries and other crap nonsense that is often required. We use NULLFS mounts for that. In most cases, we need that for php-fpm chroot anyway... It worked, but the one limitation that we kept having to find workarounds for was this: All components of the pathname must be root-owned directories that are not writable by any other user or group. Yep. If you need sub-dir access a la I have this 3rd-party user who supplies data to us in this subdirectory, you either have to setup a specific upload-area where you copy stuff in or out or just let SFTP out of the equation right away. Oh, and if your system doesn't have remote serial console or way to get in if sshd doesn't like some of your sshd_config adjustments, I recommend running a separate instance on a separate port (if firewalls are involved deal with that too) so you have a way to get in, in the case standard port 22 stops working. (This did happen during the aforementioned story, and my friend was quite happy that I had told him to set that up prior. ;-) ) Running FreeBSD in a vmware did help to setup this, admittedly ;-) Rainer ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On Thu, Jan 05, 2012 at 04:37:24PM +0100, Wolfgang Zenker wrote: Hi everyone, * Matthew Seaman m.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang We do the following on a not too busy server with sftp and only pubkey authentication. Also this might alleviate the possible headaches expected to arise with readable and possibly writable root owned directories. Given sftp access is to be chrooted into user someone 's home directory this is owned by root ( sftp wants that) The actual chroot is $HOME/depot and sshd is to proceed according to Match User someone ChrootDirectory %h/depot ForceCommand internal-sftp Users are chrooted into $HOME/depot, so there is no access to things like .ssh and else, and for sftp users $HOME/depot is readonly ro@# ls -la total 6 drwxr-xr-x 4 root someone 4 Oct 14 15:23 . drwxr-xr-x 4 root wheel 4 May 20 09:37 .. drwx-- 2 someone someone 3 Oct 14 14:18 .ssh drwxr-xr-- 3 root someone 4 Oct 28 07:43 depot Creating another directory e.g. 'upload' under depot with owner 'someone' gives write access to sftp users in 'upload'. ro# ls -la depot/ total 6 drwxr-xr-- 3 root someone 4 Oct 28 07:43 . drwxr-xr-x 4 root someone 4 Oct 14 15:23 .. -rw-r--r-- 1 root someone 55 Oct 27 18:08 bt1hash drwxr-xr-x 2 someone someone 3 Oct 28 07:44 upload Might fit your needs. Hans ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On 05/01/2012 13:30, Gót András wrote: Hi, You can easily set up FTPS with pure-ftpd, but AFAIK only the authentication will be secured. This is also called FTP-TLS. Regards, Andras Hi, pure-ftpd offers configurable TLS support including control *and* data channel encryption. http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS Please refer to the ACCEPTING TLS SESSIONS section. Regards, Jase. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
RE: FTPS Server?
On Thu, January 5, 2012 14:28, Malcolm Waltz wrote: I've included a working vsftpd.conf below for FTPES. For what you are doing, you may not need all of these parameters. The pasv_ parameters are mostly only necessary if you need to serve data through a NAT/firewall. The pasv_min_port and pasv_max_port will effect how many simultaneous connections can be supported by the server. You may have to try various permutations depending on how EyeFi has implemented their client. If you Google vsftpd.conf, you will probably find various sets of instructions for how to set it up for your needs. It helps if you know exactly what the client is expecting. There are a number of variations on the standard. vsftpd can handle all of them I believe. Also tools like tcpdump, wireshark, netstat and lsof are your friends here. [...] Are/Were there any special settings that needed on your firewall/router/NAT box? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On Jan 6, 2012, at 6:48 AM, David Magda wrote:
On Thu, January 5, 2012 14:28, Malcolm Waltz wrote:
I've included a working vsftpd.conf below for FTPES. For what you are
doing, you may not need all of these parameters. The pasv_ parameters are
mostly only necessary if you need to serve data through a NAT/firewall.
The pasv_min_port and pasv_max_port will effect how many simultaneous
connections can be supported by the server. You may have to try various
permutations depending on how EyeFi has implemented their client. If you
Google vsftpd.conf, you will probably find various sets of instructions
for how to set it up for your needs. It helps if you know exactly what
the client is expecting. There are a number of variations on the
standard. vsftpd can handle all of them I believe. Also tools like
tcpdump, wireshark, netstat and lsof are your friends here.
[...]
Are/Were there any special settings that needed on your
firewall/router/NAT box?
Nothing special. Inbound access from the Internet to the server on TCP 21 in
addition to the full range of ports specified by the pasv_min_port and
pasv_max_port in the vsftpd.conf. The host is also running a host-based
firewall (pf). Here's the pf.conf line that applies:
pass in quick on $ext_if proto tcp from any to internal-server-IP port { 21,
pasv_min_port:pasv_max_port } keep state
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
Hi, You can easily set up FTPS with pure-ftpd, but AFAIK only the authentication will be secured. This is also called FTP-TLS. Regards, Andras On Thu, 05 Jan 2012 06:47:38 -0600, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? This question may belong on the ports list, but a quick perusal there didn't find anything particularly interesting (one possible candidate is marked broken) Thanks in advance. -- Karl Denninger ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. This question may belong on the ports list, but a quick perusal there didn't find anything particularly interesting (one possible candidate is marked broken) Several of the ftp daemons in the ports should be capable of running FTPS. 10 seconds with Google turns up HOWTOs for setting up either vsftpd or proftpd to provide FTPS support. However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Cheers, Matthew [*] Miserable, archaic and long overdue to be put out of our misery. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: FTPS Server?
On 1/5/2012 7:38 AM, Matthew Seaman wrote: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. This question may belong on the ports list, but a quick perusal there didn't find anything particularly interesting (one possible candidate is marked broken) Several of the ftp daemons in the ports should be capable of running FTPS. 10 seconds with Google turns up HOWTOs for setting up either vsftpd or proftpd to provide FTPS support. However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Cheers, Matthew [*] Miserable, archaic and long overdue to be put out of our misery. Yes, I understand all the arguments against, but I have an EyeFi card here (SD card with a built in Wifi transmitter for use in cameras) that does not know how to deal with SFTP. So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) The ability to immediately get images shot in the field out of the camera and onto stable storage via a Wifi hotspot running on the phone in my pocket looks really good, but I'll be damned if I'm going to base that on a Windows machine. I understand that ftps bites but -- Karl ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On 05/01/2012 14:09, Karl Denninger wrote: So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) Does your card support uploading by HTTP(S) POST? You'll need to cook up a small webapp to process the input, but that shouldn't be any big deal if you can snoop on the card doing that and extract parameter values. Or, more obscurely, does that card support HTTP PUT? Not very many people realise that uploading data is supported in HTTP, and consequently it is quite rarely used. For apache, you need to use a LIMIT statement to enable the PUT command, and obviously, you'll need some sort of access control eg. HTTP Basic Auth so users have to provide passwords. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: FTPS Server?
On 1/5/2012 9:32 AM, Matthew Seaman wrote: On 05/01/2012 14:09, Karl Denninger wrote: So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) Does your card support uploading by HTTP(S) POST? You'll need to cook up a small webapp to process the input, but that shouldn't be any big deal if you can snoop on the card doing that and extract parameter values. Or, more obscurely, does that card support HTTP PUT? Not very many people realise that uploading data is supported in HTTP, and consequently it is quite rarely used. For apache, you need to use a LIMIT statement to enable the PUT command, and obviously, you'll need some sort of access control eg. HTTP Basic Auth so users have to provide passwords. Cheers, Matthew No; unfortunately the only open standards methods supported are FTP or Secure FTP (Ftps) The proprietary stuff works but I want to have a Windows machine powered up all the time to get the transmissions (even though I can have it mount a Samba share and thus write them to the same place on the server in question) like a want a hole in the head. -- Karl ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On 1/5/2012 10:44 AM, Karl Denninger wrote: No; unfortunately the only open standards methods supported are FTP or Secure FTP (Ftps) Try pro-ftpd from the ports tree. http://www.proftpd.org/docs/howto/TLS.html ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
Hi everyone, * Matthew Seaman m.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: Hi everyone, * Matthew Seaman m.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang It is possible. See the chroot configuration in the man-page for sshd_config If you have a sufficiently complete chroot-environment, you can even do chroot'ed ssh login sessions. Rainer ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
On 05/01/2012 15:37, Wolfgang Zenker wrote: Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) shells/scponly has an OPTION for that -- chroot'ing a user to their home directory -- but you'll need to setup some extra stuff in each user account. Happily the port comes with a rc script that does that for you. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: FTPS Server?
On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote: Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: Hi everyone, * Matthew Seaman m.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang It is possible. See the chroot configuration in the man-page for sshd_config If you have a sufficiently complete chroot-environment, you can even do chroot'ed ssh login sessions. It is possible, but some of the limitations of it are infuriating and unrealistic for certain environments. I just went through working with a friend of mine (on a Linux system) setting this up so that one of his clients had SFTP access chroot'd but *without* all the copy /dev and random libraries and other crap nonsense that is often required. It worked, but the one limitation that we kept having to find workarounds for was this: All components of the pathname must be root-owned directories that are not writable by any other user or group. The general procedures we followed, but diverted from a bit (for a lot of reasons), was: http://www.debian-administration.org/articles/590 http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny For a third time, I will repeat: this method works, but has some serious nuances/complexities given the group limitation (requirement). People setting this up will need to be adamant about watching syslog for errors, and will be quite surprised when they find that sftponly group they set up doesn't quite work the way they hoped given the security requirements of the daemon. People who say hey man, sshd has this ChrootDirectory thing, it solves the problem choose to bury their head in the sand. When recommending things of this nature, people should be made aware up front of the complexities. Oh, and if your system doesn't have remote serial console or way to get in if sshd doesn't like some of your sshd_config adjustments, I recommend running a separate instance on a separate port (if firewalls are involved deal with that too) so you have a way to get in, in the case standard port 22 stops working. (This did happen during the aforementioned story, and my friend was quite happy that I had told him to set that up prior. ;-) ) And before someone mentions it: let's not bring setfacl into this, nor rssh (god forbid anyone have to use that thing). -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
RE: FTPS Server?
Hi Karl, I recently built a server (FreeBSD 8.2 with ZFS and Jails) that runs both SFTP (OpenSSH) and FTPS (data and control channels explicitly encrypted, a.k.a. FTPES). Not that you will need it, but for SFTP, ezjail + sshd_enable + scponly works well. In my opinion, using Jails is more elegant than doing a chroot config with scponly and sshd. I thought otherwise until I started to actually to implement it. For an FTPS server I would strongly recommend vsftpd. lftp is a good client to test with. I've included a working vsftpd.conf below for FTPES. For what you are doing, you may not need all of these parameters. The pasv_ parameters are mostly only necessary if you need to serve data through a NAT/firewall. The pasv_min_port and pasv_max_port will effect how many simultaneous connections can be supported by the server. You may have to try various permutations depending on how EyeFi has implemented their client. If you Google vsftpd.conf, you will probably find various sets of instructions for how to set it up for your needs. It helps if you know exactly what the client is expecting. There are a number of variations on the standard. vsftpd can handle all of them I believe. Also tools like tcpdump, wireshark, netstat and lsof are your friends here. anonymous_enable=NO local_enable=YES write_enable=YES local_umask=077 dirmessage_enable=NO xferlog_enable=YES nopriv_user=ftpsecure chroot_local_user=YES secure_chroot_dir=/usr/local/share/vsftpd/empty listen=YES background=YES syslog_enable=YES ssl_enable=YES debug_ssl=YES rsa_private_key_file=path-to-private-key rsa_cert_file=path-to-valid-SSL-cert ca_certs_file=path-to-CA-intermediate-cert ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES force_local_logins_ssl=YES force_local_data_ssl=YES strict_ssl_read_eof=NO require_ssl_reuse=NO pasv_enable=YES pasv_address=external-NAT-address pasv_min_port=fixed-TCP-port-range-min pasv_max_port=fixed-TCP-port-range-max passwd_chroot_enable=YES listen_address=internal-IP-address userlist_enable=YES userlist_deny=NO userlist_file=/usr/local/etc/vsftpd.user_list check_shell=NO Good luck, Malcolm Waltz Unix Systems Administrator III Office of Information Technology University of the Pacific -Original Message- From: owner-freebsd-sta...@freebsd.org [mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Karl Denninger Sent: Thursday, January 05, 2012 6:10 AM To: Matthew Seaman Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? On 1/5/2012 7:38 AM, Matthew Seaman wrote: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. This question may belong on the ports list, but a quick perusal there didn't find anything particularly interesting (one possible candidate is marked broken) Several of the ftp daemons in the ports should be capable of running FTPS. 10 seconds with Google turns up HOWTOs for setting up either vsftpd or proftpd to provide FTPS support. However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Cheers, Matthew [*] Miserable, archaic and long overdue to be put out of our misery. Yes, I understand all the arguments against, but I have an EyeFi card here (SD card with a built in Wifi transmitter for use in cameras) that does not know how to deal with SFTP. So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) The ability to immediately get images shot in the field out of the camera and onto stable storage via a Wifi hotspot running on the phone in my pocket looks really good, but I'll be damned if I'm going to base that on a Windows machine. I understand that ftps bites but -- Karl ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: FTPS Server?
Jeremy Chadwick wrote: On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote: Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: Hi everyone, * Matthew Seamanm.sea...@infracaninophile.co.uk [120105 14:38]: On 05/01/2012 12:47, Karl Denninger wrote: Not SFTP (which is supported by the sshd) but FTPS is it supported by FreeBSD? No, not supported in the base system. [..] However, personally, I'd avoid FTPS. It suffers from most of the design flaws of standard FTP[*], particularly as regards passing through firewalls. Worse, because the traffic is encrypted, you can't even use tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient port numbers by deep packet inspection. As far as your users are concerned, just use SFTP. It behaves exactly like an ordinary FTP client, but the underlying SSH protocol over the network is way, way better designed. Well, the problem I have here is at the server side: ftp users can be locked in a particular subtree of the file system by simply assigning them a chrooted login class. No need to setup any infrastructure in that subtree itself. Did not find out how to do this with sftp (we only allow publickey authentication with ssh at our servers) Wolfgang It is possible. See the chroot configuration in the man-page for sshd_config If you have a sufficiently complete chroot-environment, you can even do chroot'ed ssh login sessions. It is possible, but some of the limitations of it are infuriating and unrealistic for certain environments. I just went through working with a friend of mine (on a Linux system) setting this up so that one of his clients had SFTP access chroot'd but *without* all the copy /dev and random libraries and other crap nonsense that is often required. It worked, but the one limitation that we kept having to find workarounds for was this: All components of the pathname must be root-owned directories that are not writable by any other user or group. The general procedures we followed, but diverted from a bit (for a lot of reasons), was: http://www.debian-administration.org/articles/590 http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny For a third time, I will repeat: this method works, but has some serious nuances/complexities given the group limitation (requirement). People setting this up will need to be adamant about watching syslog for errors, and will be quite surprised when they find that sftponly group they set up doesn't quite work the way they hoped given the security requirements of the daemon. People who say hey man, sshd has this ChrootDirectory thing, it solves the problem choose to bury their head in the sand. When recommending things of this nature, people should be made aware up front of the complexities. Oh, and if your system doesn't have remote serial console or way to get in if sshd doesn't like some of your sshd_config adjustments, I recommend running a separate instance on a separate port (if firewalls are involved deal with that too) so you have a way to get in, in the case standard port 22 stops working. (This did happen during the aforementioned story, and my friend was quite happy that I had told him to set that up prior. ;-) ) And before someone mentions it: let's not bring setfacl into this, nor rssh (god forbid anyone have to use that thing). Great post (as usual)! The root owned dir hierarchy is a big problem if someone wants to allow remote access to part of the tree not owned by root but some regular user or a daemon. This (and other mentioned configuration problems with file transfers over SSH) makes me stay with FTPeS for webhosting clients for many years. We are using ProFTPd with user accounts stored in MySQL. It is easy and flexible. ProFTPd also supports SFTP configuration, but I didn't test it yet (ENOTIME). http://www.proftpd.org/docs/contrib/mod_sftp.html Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
