[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??

On Mon, Jan 06, 2014 at 03:47:59PM -0600, Bob Goldberg wrote:
> On Sat, Jan 4, 2014 at 7:26 AM, Sven Hoexter <sven@timegate.de> wrote:
> 
> > I'm not sure how the OpenSSH implementation handles ACLs, maybe that's
> > an option but I did not test it.
> 
> 
> my first problem is successfully logging in with sftp-only and chroot'ing
> in place. AFAIK - ACL's would only come into play afterward.

Yes, but that should work. I read your mail as it does not work if you
enhance to the $HOME to group writeable or something like that.
I did not verify that case at all.

So I would start with setting it up user access only and try to add ACLs
to make it group writeable or whatever is required later on.

> proftpd:
> 1) wheezy does not have an sftp module

No,
$ cat /etc/debian_version 
7.3
$ dpkg -L proftpd-basic|grep sftp
/usr/lib/proftpd/mod_sftp.so
/usr/lib/proftpd/mod_sftp_sql.so
/usr/lib/proftpd/mod_sftp_pam.so


> 2) proftpd appears to rely on openssh for sftp, so appears to add no value.

No, it's a standalone implementation.


> 3) IF proftpd did provide working sftp - appears that it can not share port
> 22 w/ openssh (which i do still need for full-access users unrelated to
> SFTP).

True, you can of course do nasty quirks with iptables to NAT to different ports
depending on the source IP. But that is really nasty.


> scponly:  does not appear to be provided in wheezy !?!? can't find out
> why....

[Date: Mon, 23 Jan 2012 22:09:19 +0000] [ftpmaster: Luca Falavigna]
Removed the following packages from unstable:

   scponly |    4.8-4.1 | source, amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
scponly-full |    4.8-4.1 | amd64, armel, armhf, hurd-i386, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
Closed bugs: 650590

------------------- Reason -------------------
RoQA; RC buggy, unmaintained, replacement exists
----------------------------------------------

from https://ftp-master.debian.org/removals-2012.txt

Though nothing prohibits you from building a package based on the last version
found on snapshot.debian.org or just use the source Luke. ;)


> rssh/rush:
> 1) not sure what is: diff rssh rush  (searches come up worthless to answer
> this)

Different implementation/software for a similar/same task.


> 3) "mixed security record" is a big concern.

Well I can mostly speak for the scponly case: Parsing commandline arguments
in a safe way for different tools like svn, rsync etc. is hard. If you disable
most of that and only stick to the sftp support it's quite solid.

Still if I've a chance I would try to rely on the sftp-internal and chroot()
functionallity of OpenSSH.

Sven
-- 
we live we love we learn and breathe
each breath we take makes me believe that we can take this road forever
if we take this road together
                                 [ AZ0 - Endless Roads ]
Reply to: