[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proftpd+SSL/TLS!!!


On Thu, Aug 01, 2002 at 02:32:01PM +0200, Jones Down wrote:
> My  alternative  is to use ssh, there is a really beatiful win-prog to
> use scp, looks like mc, can be found here:
> http://winscp.vse.cz/eng/
> but  then  again  you  should setup a chroot environment, because it´s
> still   not   possible   to restrict access to a directory with ssh as
> tight  as  with some ftp-servers, because ssh needs some libraries and
> stuff,  so  there  will be always more then just one upload-dir to see
> for  the users. Also don´t forget, that with ssh you users have a full
> shell account, so building that jail should be done with real care. In
> most  cases it´s more than you want to give them - what again makes me
> cry about missing ssl in proftpd :(

Ssh version 2 allows you to restrict access to an account, to only use
on specific command, via the private/public key.

There is on example I know of: "anonymous access to CVS via ssh", which
could be used as a reference, search for it at the CVS sites.

This enforces you to use public/private keys, which is good practice
anyway.  You can issue/setup personal keys for individual users, and
you can generate a key for "anonymous" access, which is a small file
(the key) which you put publicly on a web page and anyone who wants to
access your repository downloads the file and tells it's secure-shell
client to use it as ID when to connect to the server.

I have read once, that the ftp-subsystem of SSH (sftp) opens security
wholes, but do not know why, I leave it disabled in my setups.

On the other hand, there is stunnel, which allows you to create an ssl
tunnel for any server/client pair.  If this is not possible for
proftpd for any tecnical reason don't tell me, I don't install ftp

Best Regards,


Reply to: