Re: using OpenSSH/SFTP to replace an FTP server securely

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, May 20, 2014 at 3:32 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> On Mon, 19 May 2014, ?ngel Gonz?lez wrote:
>
>> If you want something different, like chrooting them at /chrooted-users/foo,
>> you
>> can use -d parameter in the ForceCommand, ie.
>>  ForceCommand internal-sftp -d /%u
>
> If you're willing to live with a single chroot directory and file
> permissions to keep users from each others' files then this is a great
> solution. It only requires a single /chrooted-users/dev/log listener
> too.
>
> -d

The necessity for additional arcanery, of having non-user owned
contents inside each working chrooted directory, and this kind of
'make one chroot, but rely on the users to correctly set permissions
and block access to each other's content, even though they can see
each other's directories by default" is exactly why the sftp chroot
setup is not ideal.

If you *must* do this sort of thing, I'd urge running it on a separate
sshd, with a separate sshd_config, running on another port, just to
keep it away from your SSH logins for other users and other uses. If
you're not compelled for other reasons to use this, vsftpd with FTPS
is a *lot* easier to set up.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux