Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-06-03 Thread Robert Storey
If your users want a GUI client and they run Linux or *BSD, then they
can easily configure Gftp to use sftp rather than ftp. In this scenario,
you don't need to run Pureftp on your server - sftp (which uses the sshd
daemon) will do the whole job.

In Gftp, you set this up by clicking FTP-Options-SSH, and on the line
that says "SSH2 sftp-server path" type "/usr/libexec/sftp-server". This
is the sftp-server path for FreeBSD, though note that if your users try
to connect to another server that uses a different path (some Linux
distros use /usr/lib/sftp-server) they'll have to change the path.
Anyway, once this option is set, the only thing the user has to do is
click on the "FTP" icon (upper right-hand side of Gftp screen) and
select "SSH2" (as opposed to "FTP"). That's all.

All of the above applies to Linux and *BSD, and maybe to OSX as well.
But if your users are running Windows, I have no idea. It may be
possible with some Windows ftp clients, but you'll have to research that
on your own.

Maybe I haven't really answered your question.

best regards,
Robert

On Thu, 3 Jun 2004 08:26:55 -0800
"Noah" <[EMAIL PROTECTED]> wrote:

> 
> > 
> > SFTP is for giving secure-ftp-access to users who also have secure-
> > shell-access (SSH), so I don't think it's appropriate for your case.
> > FTP-logins can be totally separated from shell-logins (with a 
> > separate passwords-database or even virtual users on some ftp-
> > servers), so I think you better go on with your FTP-configuration, 
> > but then use a SSL- aware FTP-client to make secured connections to 
> > your server, not SFTP.
> 
> I dont completely understand here - how can I force people with FTP
> accounts to log in securely? As in - how do I force SSL authenticated
> logins but still allow authentication to the accounts in Pureftp DB
> file?
> 
> thanks in advance,
> 
> - noah
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-06-03 Thread Noah

> 
> SFTP is for giving secure-ftp-access to users who also have secure-
> shell-access (SSH), so I don't think it's appropriate for your case.
> FTP-logins can be totally separated from shell-logins (with a 
> separate passwords-database or even virtual users on some ftp-
> servers), so I think you better go on with your FTP-configuration, 
> but then use a SSL- aware FTP-client to make secured connections to 
> your server, not SFTP.

I dont completely understand here - how can I force people with FTP accounts
to log in securely? As in - how do I force SSL authenticated logins but still
allow authentication to the accounts in Pureftp DB file?

thanks in advance,

- noah



> 
> GH
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-06-03 Thread Noah

> 
> SFTP is for giving secure-ftp-access to users who also have secure-
> shell-access (SSH), so I don't think it's appropriate for your case.
> FTP-logins can be totally separated from shell-logins (with a 
> separate passwords-database or even virtual users on some ftp-
> servers), so I think you better go on with your FTP-configuration, 
> but then use a SSL- aware FTP-client to make secured connections to 
> your server, not SFTP.

I dont completely understand here - how can I force people with FTP accounts
to log in securely?

- noah



> 
> GH
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-06-03 Thread Geert Hendrickx
On Wed, Jun 02, 2004 at 01:42:57PM -0800, Noah wrote:
> On Sun, 30 May 2004 01:25:28 +0200, Geert Hendrickx wrote
> > On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote:
> > > 
> > > 
> > > FreeBSD 4.9-STABLE
> > > pure-ftpd version 1.0.18
> > > 
> > > I am unable to login via SFTP using accounts that exist in the PureDB.
> > > The password is denied according to the client and there are no log
> > > messages collected in the server's log files.
> > > 
> > > When I set the server's TLS option to disable SSL/TLS encryption layer
> > > ( TLS 0 ) - I  am able to log in with clear text passwords to accounts
> > > located in the PureDB.
> > > 
> > > I have PureDB authentication method uncommented in the  pure-ftpd.conf
> > > configuration file - attached below.
> > > 
> > > so what am I doing wrong.  how can I have SSL/TLS forced logins and allow
> > > those with PureDB accounts to get authenticated please?
> > > 
> > > cheers,
> > > 
> > > noah
> > 
> > sftp connects to sshd, not ftpd.  So use ssh-login/pw for encrypted
> > logins and sessions.
> > 
> 
> 
> Okay thanks for letting me know.  I am trying to allow only secure FTP logins
> but dont want general accounts for each user.  it would be nice to have
> accounts that only have FTP access and access to specific directories.  can
> you suggest a way that I can do this while still only allowing SFTP connections?
> 
> cheers,
> 
> Noah
> 
> 
> > GH

SFTP is for giving secure-ftp-access to users who also have secure-
shell-access (SSH), so I don't think it's appropriate for your case.
FTP-logins can be totally separated from shell-logins (with a separate
passwords-database or even virtual users on some ftp-servers), so I
think you better go on with your FTP-configuration, but then use a SSL-
aware FTP-client to make secured connections to your server, not SFTP.  

GH
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-06-02 Thread Noah
On Sun, 30 May 2004 01:25:28 +0200, Geert Hendrickx wrote
> On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote:
> > 
> > 
> > FreeBSD 4.9-STABLE
> > pure-ftpd version 1.0.18
> > 
> > I am unable to login via SFTP using accounts that exist in the PureDB.
> > The password is denied according to the client and there are no log
> > messages collected in the server's log files.
> > 
> > When I set the server's TLS option to disable SSL/TLS encryption layer
> > ( TLS 0 ) - I  am able to log in with clear text passwords to accounts
> > located in the PureDB.
> > 
> > I have PureDB authentication method uncommented in the  pure-ftpd.conf
> > configuration file - attached below.
> > 
> > so what am I doing wrong.  how can I have SSL/TLS forced logins and allow
> > those with PureDB accounts to get authenticated please?
> > 
> > cheers,
> > 
> > noah
> 
> sftp connects to sshd, not ftpd.  So use ssh-login/pw for encrypted
> logins and sessions.
> 


Okay thanks for letting me know.  I am trying to allow only secure FTP logins
but dont want general accounts for each user.  it would be nice to have
accounts that only have FTP access and access to specific directories.  can
you suggest a way that I can do this while still only allowing SFTP connections?

cheers,

Noah


> GH
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-05-29 Thread Geert Hendrickx
On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote:
> 
> 
> FreeBSD 4.9-STABLE
> pure-ftpd version 1.0.18
> 
> I am unable to login via SFTP using accounts that exist in the PureDB.
> The password is denied according to the client and there are no log
> messages collected in the server's log files.
> 
> When I set the server's TLS option to disable SSL/TLS encryption layer
> ( TLS 0 ) - I  am able to log in with clear text passwords to accounts
> located in the PureDB.
> 
> I have PureDB authentication method uncommented in the  pure-ftpd.conf
> configuration file - attached below.
> 
> so what am I doing wrong.  how can I have SSL/TLS forced logins and allow
> those with PureDB accounts to get authenticated please?
> 
> cheers,
> 
> noah

sftp connects to sshd, not ftpd.  So use ssh-login/pw for encrypted
logins and sessions.  

GH
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


pure-ftpd with SFTP and PureDB Authentication (fwd)

2004-05-29 Thread Noah


FreeBSD 4.9-STABLE
pure-ftpd version 1.0.18

I am unable to login via SFTP using accounts that exist in the PureDB.
The password is denied according to the client and there are no log
messages collected in the server's log files.

When I set the server's TLS option to disable SSL/TLS encryption layer
( TLS 0 ) - I  am able to log in with clear text passwords to accounts
located in the PureDB.

I have PureDB authentication method uncommented in the  pure-ftpd.conf
configuration file - attached below.

so what am I doing wrong.  how can I have SSL/TLS forced logins and allow
those with PureDB accounts to get authenticated please?

cheers,

noah

here is the /usr/local/etc/pure-ftpd.conf file --- I am running pureftpd
without any switches other than to define the following configuration
file.

--- snip ---


#  #
# Configuration file for pure-ftpd wrappers#
#  #


# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# options.

# Cage in every user in his home directory

ChrootEveryone  yes

# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID100

# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility  no

# Maximum number of simultaneous users

MaxClientsNumber50

# Fork in background

Daemonize   yes

# Maximum number of sim clients with the same IP address

MaxClientsPerIP 8

# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog  no

# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes

# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly   no

# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous no

# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility  ftp

# Display fortune cookies

# FortunesFile  /usr/share/fortune/zippy

# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve no

# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15

# LDAP configuration file (see README.LDAP)

# LDAPConfigFile/etc/pureftpd-ldap.conf

# MySQL configuration file (see README.MySQL)

# MySQLConfigFile   /etc/pureftpd-mysql.conf

# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile   /etc/pureftpd-pgsql.conf

# PureDB user database (see README.Virtual-Users)

PureDB/usr/local/etc/pureftpd.pdb

# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth   /var/run/ftpd.sock

# If you want to enable PAM authentication, uncomment the following line

#  PAMAuthentication yes

# If you want simple Unix (/etc/passwd) authentication, uncomment this

#  UnixAuthenticationyes

# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.

# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion  2000 8

# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs  no

# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4

# Port range for passive connections replies. - for firewalling.

# PassivePortRange  3 5

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dyna