[NBLUG/talk] ftpd

error error at sonic.net
Sat Feb 15 18:33:00 PST 2003


Recently I had a discusstion with someone about this.

What are the possibilitys of locking down the ssh account so they can
only use sftp/scp?

I was informed that it's possible to have the user have a /bin/nologin
and still copy files but I want to know how it works.

Any ideas?

I believe it's possible but I do want to hear about people breaking out
of sftp/scp jails.

Any takers?

I think that it's possible.

Also I suggest that if you are going to use proftpd you use s/key with
pam.

Want some help setting that up? Email me off list.

That way it's not important if they snarf your password while you update
your website.


Here is a sample proftpd conf that I use to chroot users in their home
dir:


# cat /etc/proftpd.conf

DefaultRoot ~

<Limit LOGIN>
Order allow,deny
Allow from 127.0.0.1
Deny from all
</Limit>

That little conf for proftpd makes the user chrooted in their home dir.
It also allows you to login if you happen to be on the box or if you set
up an ssh tunnel.

I suggest doing that only if you need ftp support and you trust the user
to have a shell.

Of if you have a firewall only you control for your group they can do a
passive ftp session to it.

I suggest using it over all other ftpd packages OTHER than public file
but it's not what you want.

Also if possible, use webdav over ssl.

Ftp is terrible.

And for the love of god.
Do not use wu-ftpd. (rumor has it there is an exploit in the wild again)
Infact never use washington university software.
Even their mail readers have security holes.

Anyway with that said, if you want proftpd there is the conf.

Take care,
e.

On Sat, 2003-02-15 at 17:13, Mark Street wrote:
> How about sftp?
> 
> On Saturday 15 February 2003 15:17, Steve wrote:
> > I have a need to run an FTP server on my colo at sonic, and to be honest
> > I've always avoided this like the plague =).. So I was wondering what ftpd
> > you guys recomend.
-- 
error <error at sonic.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: This is a digitally signed message part
Url : http://nblug.org/pipermail/talk/attachments/20030215/343632d0/attachment.pgp


More information about the talk mailing list