On Mon, Jun 22, 2009 at 08:52:23AM -0500, Dominguez, Roland wrote:
> I received permission to set up our sftp/ftp server under Openbsd.
> Is there a best practices doc for doing so?
> I'm reading:
> http://www.openbsd.org/faq/faq10.html#ftpchroot
> and
> http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8
You seem to have found the relevant documentation yourself. The only
"best practice" I would suggest is dropping ftpd and just going with
sftp-server(8) (the part of sshd(8) used by the sftp(1) command).
Try something like this in /etc/ssh/sshd_config:
Match group sftp_users
AllowTcpForwarding no
ChrootDirectory "%h"
ForceCommand internal-sftp
X11Forwarding no
You can then create users in group sftp_users with appropriate home
directories. You may impose some limits on the resources they max
consume (see sshd_config(5), login.conf(5)), if required. Do read the
section on syslog sockets (short version: set
syslogd_flags="-a /some/ftp_user's/home -a /some/other/ftp_user's/home"
in /etc/rc.conf.local).
Joachim
