Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
If your users want a GUI client and they run Linux or *BSD, then they can easily configure Gftp to use sftp rather than ftp. In this scenario, you don't need to run Pureftp on your server - sftp (which uses the sshd daemon) will do the whole job. In Gftp, you set this up by clicking FTP-Options-SSH, and on the line that says "SSH2 sftp-server path" type "/usr/libexec/sftp-server". This is the sftp-server path for FreeBSD, though note that if your users try to connect to another server that uses a different path (some Linux distros use /usr/lib/sftp-server) they'll have to change the path. Anyway, once this option is set, the only thing the user has to do is click on the "FTP" icon (upper right-hand side of Gftp screen) and select "SSH2" (as opposed to "FTP"). That's all. All of the above applies to Linux and *BSD, and maybe to OSX as well. But if your users are running Windows, I have no idea. It may be possible with some Windows ftp clients, but you'll have to research that on your own. Maybe I haven't really answered your question. best regards, Robert On Thu, 3 Jun 2004 08:26:55 -0800 "Noah" <[EMAIL PROTECTED]> wrote: > > > > > SFTP is for giving secure-ftp-access to users who also have secure- > > shell-access (SSH), so I don't think it's appropriate for your case. > > FTP-logins can be totally separated from shell-logins (with a > > separate passwords-database or even virtual users on some ftp- > > servers), so I think you better go on with your FTP-configuration, > > but then use a SSL- aware FTP-client to make secured connections to > > your server, not SFTP. > > I dont completely understand here - how can I force people with FTP > accounts to log in securely? As in - how do I force SSL authenticated > logins but still allow authentication to the accounts in Pureftp DB > file? > > thanks in advance, > > - noah ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
> > SFTP is for giving secure-ftp-access to users who also have secure- > shell-access (SSH), so I don't think it's appropriate for your case. > FTP-logins can be totally separated from shell-logins (with a > separate passwords-database or even virtual users on some ftp- > servers), so I think you better go on with your FTP-configuration, > but then use a SSL- aware FTP-client to make secured connections to > your server, not SFTP. I dont completely understand here - how can I force people with FTP accounts to log in securely? As in - how do I force SSL authenticated logins but still allow authentication to the accounts in Pureftp DB file? thanks in advance, - noah > > GH > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
> > SFTP is for giving secure-ftp-access to users who also have secure- > shell-access (SSH), so I don't think it's appropriate for your case. > FTP-logins can be totally separated from shell-logins (with a > separate passwords-database or even virtual users on some ftp- > servers), so I think you better go on with your FTP-configuration, > but then use a SSL- aware FTP-client to make secured connections to > your server, not SFTP. I dont completely understand here - how can I force people with FTP accounts to log in securely? - noah > > GH > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
On Wed, Jun 02, 2004 at 01:42:57PM -0800, Noah wrote: > On Sun, 30 May 2004 01:25:28 +0200, Geert Hendrickx wrote > > On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote: > > > > > > > > > FreeBSD 4.9-STABLE > > > pure-ftpd version 1.0.18 > > > > > > I am unable to login via SFTP using accounts that exist in the PureDB. > > > The password is denied according to the client and there are no log > > > messages collected in the server's log files. > > > > > > When I set the server's TLS option to disable SSL/TLS encryption layer > > > ( TLS 0 ) - I am able to log in with clear text passwords to accounts > > > located in the PureDB. > > > > > > I have PureDB authentication method uncommented in the pure-ftpd.conf > > > configuration file - attached below. > > > > > > so what am I doing wrong. how can I have SSL/TLS forced logins and allow > > > those with PureDB accounts to get authenticated please? > > > > > > cheers, > > > > > > noah > > > > sftp connects to sshd, not ftpd. So use ssh-login/pw for encrypted > > logins and sessions. > > > > > Okay thanks for letting me know. I am trying to allow only secure FTP logins > but dont want general accounts for each user. it would be nice to have > accounts that only have FTP access and access to specific directories. can > you suggest a way that I can do this while still only allowing SFTP connections? > > cheers, > > Noah > > > > GH SFTP is for giving secure-ftp-access to users who also have secure- shell-access (SSH), so I don't think it's appropriate for your case. FTP-logins can be totally separated from shell-logins (with a separate passwords-database or even virtual users on some ftp-servers), so I think you better go on with your FTP-configuration, but then use a SSL- aware FTP-client to make secured connections to your server, not SFTP. GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
On Sun, 30 May 2004 01:25:28 +0200, Geert Hendrickx wrote > On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote: > > > > > > FreeBSD 4.9-STABLE > > pure-ftpd version 1.0.18 > > > > I am unable to login via SFTP using accounts that exist in the PureDB. > > The password is denied according to the client and there are no log > > messages collected in the server's log files. > > > > When I set the server's TLS option to disable SSL/TLS encryption layer > > ( TLS 0 ) - I am able to log in with clear text passwords to accounts > > located in the PureDB. > > > > I have PureDB authentication method uncommented in the pure-ftpd.conf > > configuration file - attached below. > > > > so what am I doing wrong. how can I have SSL/TLS forced logins and allow > > those with PureDB accounts to get authenticated please? > > > > cheers, > > > > noah > > sftp connects to sshd, not ftpd. So use ssh-login/pw for encrypted > logins and sessions. > Okay thanks for letting me know. I am trying to allow only secure FTP logins but dont want general accounts for each user. it would be nice to have accounts that only have FTP access and access to specific directories. can you suggest a way that I can do this while still only allowing SFTP connections? cheers, Noah > GH > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pure-ftpd with SFTP and PureDB Authentication (fwd)
On Sat, May 29, 2004 at 01:40:06PM -0800, Noah wrote: > > > FreeBSD 4.9-STABLE > pure-ftpd version 1.0.18 > > I am unable to login via SFTP using accounts that exist in the PureDB. > The password is denied according to the client and there are no log > messages collected in the server's log files. > > When I set the server's TLS option to disable SSL/TLS encryption layer > ( TLS 0 ) - I am able to log in with clear text passwords to accounts > located in the PureDB. > > I have PureDB authentication method uncommented in the pure-ftpd.conf > configuration file - attached below. > > so what am I doing wrong. how can I have SSL/TLS forced logins and allow > those with PureDB accounts to get authenticated please? > > cheers, > > noah sftp connects to sshd, not ftpd. So use ssh-login/pw for encrypted logins and sessions. GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pure-ftpd with SFTP and PureDB Authentication (fwd)
FreeBSD 4.9-STABLE pure-ftpd version 1.0.18 I am unable to login via SFTP using accounts that exist in the PureDB. The password is denied according to the client and there are no log messages collected in the server's log files. When I set the server's TLS option to disable SSL/TLS encryption layer ( TLS 0 ) - I am able to log in with clear text passwords to accounts located in the PureDB. I have PureDB authentication method uncommented in the pure-ftpd.conf configuration file - attached below. so what am I doing wrong. how can I have SSL/TLS forced logins and allow those with PureDB accounts to get authenticated please? cheers, noah here is the /usr/local/etc/pure-ftpd.conf file --- I am running pureftpd without any switches other than to define the following configuration file. --- snip --- # # # Configuration file for pure-ftpd wrappers# # # # If you want to run Pure-FTPd with this configuration # instead of command-line options, please run the # following command : # # /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf # # Please don't forget to have a look at documentation at # http://www.pureftpd.org/documentation.html for a complete list of # options. # Cage in every user in his home directory ChrootEveryone yes # If the previous option is set to "no", members of the following group # won't be caged. Others will be. If you don't want chroot()ing anyone, # just comment out ChrootEveryone and TrustedGID. # TrustedGID100 # Turn on compatibility hacks for broken clients BrokenClientsCompatibility no # Maximum number of simultaneous users MaxClientsNumber50 # Fork in background Daemonize yes # Maximum number of sim clients with the same IP address MaxClientsPerIP 8 # If you want to log all client commands, set this to "yes". # This directive can be duplicated to also log server responses. VerboseLog no # List dot-files even when the client doesn't send "-a". DisplayDotFiles yes # Don't allow authenticated users - have a public anonymous FTP only. AnonymousOnly no # Disallow anonymous connections. Only allow authenticated users. NoAnonymous no # Syslog facility (auth, authpriv, daemon, ftp, security, user, local*) # The default facility is "ftp". "none" disables logging. SyslogFacility ftp # Display fortune cookies # FortunesFile /usr/share/fortune/zippy # Don't resolve host names in log files. Logs are less verbose, but # it uses less bandwidth. Set this to "yes" on very busy servers or # if you don't have a working DNS. DontResolve no # Maximum idle time in minutes (default = 15 minutes) MaxIdleTime 15 # LDAP configuration file (see README.LDAP) # LDAPConfigFile/etc/pureftpd-ldap.conf # MySQL configuration file (see README.MySQL) # MySQLConfigFile /etc/pureftpd-mysql.conf # Postgres configuration file (see README.PGSQL) # PGSQLConfigFile /etc/pureftpd-pgsql.conf # PureDB user database (see README.Virtual-Users) PureDB/usr/local/etc/pureftpd.pdb # Path to pure-authd socket (see README.Authentication-Modules) # ExtAuth /var/run/ftpd.sock # If you want to enable PAM authentication, uncomment the following line # PAMAuthentication yes # If you want simple Unix (/etc/passwd) authentication, uncomment this # UnixAuthenticationyes # Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and # UnixAuthentication can be used only once, but they can be combined # together. For instance, if you use MySQLConfigFile, then UnixAuthentication, # the SQL server will be asked. If the SQL authentication fails because the # user wasn't found, another try # will be done with /etc/passwd and # /etc/shadow. If the SQL authentication fails because the password was wrong, # the authentication chain stops here. Authentication methods are chained in # the order they are given. # 'ls' recursion limits. The first argument is the maximum number of # files to be displayed. The second one is the max subdirectories depth LimitRecursion 2000 8 # Are anonymous users allowed to create new directories ? AnonymousCanCreateDirs no # If the system is more loaded than the following value, # anonymous users aren't allowed to download. MaxLoad 4 # Port range for passive connections replies. - for firewalling. # PassivePortRange 3 5 # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. # Symbolic host names are also accepted for gateways with dyna