using OpenSSH/SFTP to replace an FTP server securely

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello Folks,

I'm trying to replace an FTP with several hundred users with something secure.

My requirements:
    - transfers must be logged
    - users should not have any access to other users' directories
    - users should land in a writable directory
    - users should be chrooted

I've been trying to get this working with OpenSSH and the internal SFTP server,
but it does not seem possible....

If I chroot each user using "ChrootDirectory /home/%u", there are two problems:

    1) the user lands in a directory to which he cannot write
    2) I would need hundreds of syslog logging sockets, one in each user's
chrooted environment

if I chroot all users to the same top directory, for example "/home",
which would solve the problem of avoiding hundreds of syslog logging sockets, I
have found no method of having OpenSSH chdir into a user-specific subdirectory
(I would be willing to rely on the standard UNIX security model to restrict
users' access to their own directories).

Have I missed something, or is what I'm trying to achieve simply not possible
using OpenSSH?

I do not really want to get into bind-mounting all sorts of crap from outside
the chroot envonment to get stuff to work, particularly not for hundreds of
users. If "sftp-server" solve the problem in conjunction with a single chroot
top directory, I would be willing to bind-mount (or copy) what it needs, but I
have not found any way of getting sftp-server to satisfy the above requirements.

The platform is CentOS 6.5 (x86_64).

"ssh -V" reports:

    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

cheers,

Rob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux