Am 05.01.2012 um 20:26 schrieb Jeremy Chadwick: > On Thu, Jan 05, 2012 at 05:16:43PM +0100, Rainer Duffner wrote: >> >> Am 05.01.2012 um 16:37 schrieb Wolfgang Zenker: >> >>> Hi everyone, >>> >>> * Matthew Seaman <m.sea...@infracaninophile.co.uk> [120105 14:38]: >>>> On 05/01/2012 12:47, Karl Denninger wrote: >>>>> Not SFTP (which is supported by the sshd) but FTPS.... is it supported >>>>> by FreeBSD? >>> >>>> No, not supported in the base system. >>> >>>>> [..] >>>> However, personally, I'd avoid FTPS. It suffers from most of the design >>>> flaws of standard FTP[*], particularly as regards passing through >>>> firewalls. Worse, because the traffic is encrypted, you can't even use >>>> tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient >>>> port numbers by deep packet inspection. As far as your users are >>>> concerned, just use SFTP. It behaves exactly like an ordinary FTP >>>> client, but the underlying SSH protocol over the network is way, way >>>> better designed. >>> >>> Well, the problem I have here is at the server side: ftp users can be >>> locked in a particular subtree of the file system by simply assigning >>> them a chrooted login class. No need to setup any infrastructure in >>> that subtree itself. Did not find out how to do this with sftp (we only >>> allow publickey authentication with ssh at our servers) >>> >>> Wolfgang >> >> >> It is possible. >> >> See the chroot configuration in the man-page for sshd_config >> >> If you have a sufficiently complete chroot-environment, you can even do >> chroot'ed ssh login sessions. > > It is possible, but some of the limitations of it are infuriating and > unrealistic for certain environments. I just went through working with > a friend of mine (on a Linux system) setting this up so that one of his > clients had SFTP access chroot'd but *without* all the "copy /dev and > random libraries and other crap" nonsense that is often required.
We use NULLFS mounts for that. In most cases, we need that for php-fpm chroot anyway... > It > worked, but the one limitation that we kept having to "find workarounds > for" was this: > > All components of the pathname must be root-owned directories that > are not writable by any other user or group. > Yep. If you need sub-dir access a la "I have this 3rd-party user who supplies data to us in this subdirectory", you either have to setup a specific upload-area where you copy stuff in or out or just let SFTP out of the equation right away. > Oh, and if your system doesn't have remote serial console or way to get > in if sshd doesn't like some of your sshd_config adjustments, I > recommend running a separate instance on a separate port (if firewalls > are involved deal with that too) so you have a way to get in, in the > case standard port 22 stops working. (This did happen during the > aforementioned story, and my friend was quite happy that I had told him > to set that up prior. ;-) ) Running FreeBSD in a vmware did help to setup this, admittedly ;-) Rainer _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
