chrooted SFTP and FTP with writable root?
Hi list,
(Please CC me, I'm not subscribed) I'm using Debian Squeeze and would like to be able to chroot a certain user into its home directory (eg. /home/test) with both SFTP and FTP, the user does not need shell access, but others do. Software involved is vsftp and openssh, I have a working setup which chroots the user into its home directory correctly, but this setup requires that directory to be owned by root (and group root) and with only write permissions on the owner (an openssh requirement). This effectively prevents a client from writing directly into the directory, so only subdirectories are writable. Changing the permissions or (group)ownership of the home directory fixes it for ftp but causes sftp (ssh) access to be denied. Does anyone have something similar where both sftp and ftp access is enabled to a chroot, and writable, not just subdirectories? I used this [1] guide in setting up the sftp chroot. Only changed the "Match group" to "Match User" Kind regards, Steven [1] http://www.debian-administration.org/articles/590 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: AD284060-8887-4611-9091-D1158BC459AA@intrismail01.intris.be">http://lists.debian.org/AD284060-8887-4611-9091-D1158BC459AA@intrismail01.intris.be |
chrooted SFTP and FTP with writable root?
On Wed, 05 Oct 2011 11:41:18 +0200, Steven.Post wrote:
> Hi list, > > (Please CC me, I'm not subscribed) Sorry, I can't so I hope you can read the list ;-( (...) > Does anyone have something similar where both sftp and ftp access is > enabled to a chroot, and writable, not just subdirectories? (...) How about using "rssh"? Another option could be using "FTPS" by means of vftpd :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: pan.2011.10.05.16.25.17@gmail.com">http://lists.debian.org/pan.2011.10.05.16.25.17@gmail.com |
chrooted SFTP and FTP with writable root?
Hi Stephen,
Steven.Post@intris.be wrote: (Please CC me, I'm not subscribed) ;-) Does anyone have something similar where both sftp and ftp access is enabled to a chroot, and writable, not just subdirectories? Why allow ftp when sftp is available? I use scponlyc setup with the passwd file having a home path like as follows: /home/chroot-username//own-writeable-directory This places sftp [and WinSCP for that matter] into the directory that is owned by the user by default, they can traverse up, but their "real" home directory must not be writable for the reasons you know. To make it stronger, you can require the login to use a key file rather than a normal password -- the key file should have a good pass phrase set up by the user (or you if you don't trust them to make it secure enough). Personally, I don't allow password logins in this situation as a rule and I also add the user to the ssh group and require them to belong in the group to get access at all. Furthermore, I limit access with /etc/hosts.deny and /etc/hosts.allow to restrict which machines are allowed in (knowing the static IP [required] of the end user). -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4E8C954D.3080504@affinityvision.com.au">http://lists.debian.org/4E8C954D.3080504@affinityvision.com.au |
chrooted SFTP and FTP with writable root?
Hi Stephen,
Steven.Post@intris.be wrote: (Please CC me, I'm not subscribed) ;-) Does anyone have something similar where both sftp and ftp access is enabled to a chroot, and writable, not just subdirectories? Why allow ftp when sftp is available? I use scponlyc setup with the passwd file having a home path like as follows: /home/chroot-username//own-writeable-directory This places sftp [and WinSCP for that matter] into the directory that is owned by the user by default, they can traverse up, but their "real" home directory must not be writable for the reasons you know. To make it stronger, you can require the login to use a key file rather than a normal password -- the key file should have a good pass phrase set up by the user (or you if you don't trust them to make it secure enough). Personally, I don't allow password logins in this situation as a rule and I also add the user to the ssh group and require them to belong in the group to get access at all. Furthermore, I limit access with /etc/hosts.deny and /etc/hosts.allow to restrict which machines are allowed in (knowing the static IP [required] of the end user). -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4E8C954D.3080504@affinityvision.com.au">http://lists.debian.org/4E8C954D.3080504@affinityvision.com.au |
chrooted SFTP and FTP with writable root?
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:
> Why allow ftp when sftp is available? There are, sadly, always reasons why ftp may be required alongside sftp. Where I work, we mandate sftp for file transfer and do not provide ftp service. Ever. None at all. Period. Except when a customer insists on using ftp and won't use sftp. At this point we give them a gazillion reasons why ftp is bad and sftp is good, and generally point them at (Windows-based) applications such as WinSCP or Filezilla. And then we open up the firewall to permit inbound ftp from their nominated IP address (range). Needless to say, the server is pretty tightly locked down. Oh, and since it's a bastion host it's still got no access to our internal systems. Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: h3oul8xtpe.ln2@news.roaima.co.uk">http://lists.debian.org/h3oul8xtpe.ln2@news.roaima.co.uk |
| All times are GMT. The time now is 12:35 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.