secure ftp? for select number of users

Matrixmonkey · n00b Joined: 18 Apr 2003 Posts: 43 Location: Bradford,UK

i need to set up a ftp server but only ftp :twisted:

NO shell access :evil:

to there home dir (well it was in www dir but moved it now

)
ive been looking up proftpd+msql but no joy
and thought about adding users with the option -s /bin/false
but that would still leave passwords on the system

so any idea's would leave me for ever in your debt

Matrixmonkey

bunsen · Tux's lil' helper Joined: 10 Aug 2003 Posts: 105

openssh ships with sftp. I've not used it, so can't say whether it's of any use to you.

Matrixmonkey · n00b Joined: 18 Apr 2003 Posts: 43 Location: Bradford,UK

ahhh forgot to say the users are windows users and thick ones at that

so would need a windows client

:lol:

keep trying to turn them to the light side of the force but

no joy

the dark side is stronger :twisted:

_________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.dicknlyd.co.uk

jonnymalm · n00b Joined: 26 Jun 2002 Posts: 68

sftp that ships with openssh is the way to go.

There is a great windows client called WinSCP that is easy to use for all of your thick windows users. it is opensource/freeware and you can get it at http://winscp.sourceforge.net/eng/

I have never setup openssh without ssh shell access but I am sure that you can do it.

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

So what is the answer?

How do you allow an account for sftp access and disable ssh access?

petterg · Guru Joined: 25 Mar 2004 Posts: 500 Location: Oslo, Norway

You're not telling why you want this, but I'm guessing you want users to only have access to /home and subdirs of /home.
(Block access to all other files in the system.)

If my guessing is correct, openssh 3.7.1_p2-r2 with chroot patch is the way to go. (I've had no success on making the chroot patch work with 3.8.* and 3.9.*!)

This will not stop users from having shell access, but it will stop them from having access to other files. You are also controlling what binarys they are allowed to run. To make sftp work they need access to ls, cp, mv, rm, mkdir, rmdir and bash.

The downside of this is that users will still be able to create ssh tunels to the server, so if your goal is to protect other computers on the local network this will be the wrong way to go. (Unless there are some way to block tunnelling that I'm not aware of.)

Regarding windows client: Check out Filezilla.

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

I simply want users to be able to use WinSCP to upload/download files etc, but I don't want them to have access to a shell on the server.

I was looking for a simple solution to just possibly allow access to those commands required for ftp without users having access to the other commands.

Oh well, now looking at grsecurity and access control lists as a possible way to go, I guess there's no simple solution. I already have the gentoo-hardened kernel compiled and the server is up and running may as well go for it :-)

hanj · Veteran Joined: 19 Aug 2003 Posts: 1500

If sFTP isn't an option for you.. I would recommend vsftp for an FTP server.

As to your other question.. you can set up users without a shell...

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

Majority of access will be from unknown IP addresses, so using hosts.allow or configured iptable is not an option.

I currently have vsftpd but was hoping to use the added security of ssh. Setting up users without a shell disables sftp/scp access :-(

Oh! another thing to remember when using /bin/false it requires an entry in /etc/shells for this to work with vsftp.

hanj · Veteran Joined: 19 Aug 2003 Posts: 1500

Looks like vsftpd2 supports SSL.. maybe something to look at..

https://forums.gentoo.org/viewtopic.php?t=201071

hanji

petterg · Guru Joined: 25 Mar 2004 Posts: 500 Location: Oslo, Norway

I figured out how to make the chroot patch work with openssh-3.9. It need some more files in the jail than the 3.7 needed:
/etc/pam.d
/etc/security
/lib/libpam*

(I've tried this with openssh-3.9_p1 only.)

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

sbonnell · n00b Joined: 29 Jan 2004 Posts: 14 Location: Paris, France

You may have a look at rssh. It's used to restrict the access to ssh functions.

Regards,
Stephane

Matrixmonkey · n00b Joined: 18 Apr 2003 Posts: 43 Location: Bradford,UK

the answer

when my sister was on holiday

i stole her pc and install gentoo on it

mawwwaaahhh

nice and secure server and client now

_________________
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.dicknlyd.co.uk

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

Jaxom · Tux's lil' helper Joined: 31 Jan 2003 Posts: 137

I use vsftpd, I read in the man pages about changing some things around to allow anonymous logons without passwords. And you can set quite a bit of other security level stuff in it as well. Hence the name Very Secure FTP Daemon

_________________
Undisputed Heavyweight Champion. If it's undisputed, WHAT'S ALL THE FIGHTING ABOUT?!?! -- George Carlin

badchien · Guru Joined: 16 Feb 2004 Posts: 415 Location: doghouse

echo6 · Guru Joined: 04 Jan 2003 Posts: 587

To · Posted: Thu Oct 14, 2004 8:49 am Post subject:

cpdsaorg · Guru Joined: 16 Oct 2003 Posts: 359

just curious, when you install sshd does the sftp and ssh functionality keep seperate access control lists? I thought ssh had an allow or deny list? or am i mixing that up with ftp?
_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB