Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   chrooted SFTP and FTP with writable root? (http://www.linux-archive.org/debian-user/583792-chrooted-sftp-ftp-writable-root.html)

10-05-2011 09:41 AM

chrooted SFTP and FTP with writable root?
 
Hi list,

(Please CC me, I'm not subscribed)

I'm using Debian Squeeze and would like to be able to chroot a certain
user into its home directory (eg. /home/test) with both SFTP and FTP,
the user does not need shell access, but others do.
Software involved is vsftp and openssh, I have a working setup which
chroots the user into its home directory correctly, but this setup
requires that directory to be owned by root (and group root) and with
only write permissions on the owner (an openssh requirement).
This effectively prevents a client from writing directly into the
directory, so only subdirectories are writable. Changing the permissions
or (group)ownership of the home directory fixes it for ftp but causes
sftp (ssh) access to be denied.

Does anyone have something similar where both sftp and ftp access is
enabled to a chroot, and writable, not just subdirectories?

I used this [1] guide in setting up the sftp chroot. Only changed the
"Match group" to "Match User"

Kind regards,
Steven

[1] http://www.debian-administration.org/articles/590


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AD284060-8887-4611-9091-D1158BC459AA@intrismail01.intris.be">http://lists.debian.org/AD284060-8887-4611-9091-D1158BC459AA@intrismail01.intris.be

Camaleón 10-05-2011 04:25 PM

chrooted SFTP and FTP with writable root?
 
On Wed, 05 Oct 2011 11:41:18 +0200, Steven.Post wrote:

> Hi list,
>
> (Please CC me, I'm not subscribed)

Sorry, I can't so I hope you can read the list ;-(

(...)

> Does anyone have something similar where both sftp and ftp access is
> enabled to a chroot, and writable, not just subdirectories?

(...)

How about using "rssh"?

Another option could be using "FTPS" by means of vftpd :-?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.10.05.16.25.17@gmail.com">http://lists.debian.org/pan.2011.10.05.16.25.17@gmail.com

Andrew McGlashan 10-05-2011 05:35 PM

chrooted SFTP and FTP with writable root?
 
Hi Stephen,

Steven.Post@intris.be wrote:

(Please CC me, I'm not subscribed)


;-)


Does anyone have something similar where both sftp and ftp access is
enabled to a chroot, and writable, not just subdirectories?


Why allow ftp when sftp is available?

I use scponlyc setup with the passwd file having a home path like as
follows:

/home/chroot-username//own-writeable-directory

This places sftp [and WinSCP for that matter] into the directory that is
owned by the user by default, they can traverse up, but their "real"
home directory must not be writable for the reasons you know.


To make it stronger, you can require the login to use a key file rather
than a normal password -- the key file should have a good pass phrase
set up by the user (or you if you don't trust them to make it secure
enough).


Personally, I don't allow password logins in this situation as a rule
and I also add the user to the ssh group and require them to belong in
the group to get access at all. Furthermore, I limit access with
/etc/hosts.deny and /etc/hosts.allow to restrict which machines are
allowed in (knowing the static IP [required] of the end user).


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4E8C954D.3080504@affinityvision.com.au">http://lists.debian.org/4E8C954D.3080504@affinityvision.com.au

Andrew McGlashan 10-05-2011 05:35 PM

chrooted SFTP and FTP with writable root?
 
Hi Stephen,

Steven.Post@intris.be wrote:

(Please CC me, I'm not subscribed)


;-)


Does anyone have something similar where both sftp and ftp access is
enabled to a chroot, and writable, not just subdirectories?


Why allow ftp when sftp is available?

I use scponlyc setup with the passwd file having a home path like as
follows:

/home/chroot-username//own-writeable-directory

This places sftp [and WinSCP for that matter] into the directory that is
owned by the user by default, they can traverse up, but their "real"
home directory must not be writable for the reasons you know.


To make it stronger, you can require the login to use a key file rather
than a normal password -- the key file should have a good pass phrase
set up by the user (or you if you don't trust them to make it secure
enough).


Personally, I don't allow password logins in this situation as a rule
and I also add the user to the ssh group and require them to belong in
the group to get access at all. Furthermore, I limit access with
/etc/hosts.deny and /etc/hosts.allow to restrict which machines are
allowed in (knowing the static IP [required] of the end user).


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4E8C954D.3080504@affinityvision.com.au">http://lists.debian.org/4E8C954D.3080504@affinityvision.com.au

Chris Davies 10-05-2011 07:34 PM

chrooted SFTP and FTP with writable root?
 
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:
> Why allow ftp when sftp is available?

There are, sadly, always reasons why ftp may be required alongside
sftp. Where I work, we mandate sftp for file transfer and do not provide
ftp service.

Ever.

None at all.

Period.

Except when a customer insists on using ftp and won't use sftp.

At this point we give them a gazillion reasons why ftp is bad and sftp is
good, and generally point them at (Windows-based) applications such as
WinSCP or Filezilla. And then we open up the firewall to permit inbound
ftp from their nominated IP address (range).

Needless to say, the server is pretty tightly locked down. Oh, and since
it's a bastion host it's still got no access to our internal systems.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: h3oul8xtpe.ln2@news.roaima.co.uk">http://lists.debian.org/h3oul8xtpe.ln2@news.roaima.co.uk


All times are GMT. The time now is 04:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.