Re: [PLUG] SFTP question - disable download or delete

Matt Mossholder on 23 Feb 2010 12:45:46 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SFTP question - disable download or delete

From: Matt Mossholder <matt@mossholder.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] SFTP question - disable download or delete

Date: Tue, 23 Feb 2010 15:45:20 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

On Tue, Feb 23, 2010 at 3:33 PM, Mike Leone <turgon@mike-leone.com> wrote:
I have a server set up (with Ubuntu 8.04) that is running FTP over SSL,
using VSFTP. Works wonderfully, and I can specify that FTP clients
connect to a chroot jail, and can only upload files, not download or
delete files.

However, now I am getting a request to use sftp, instead of FTP over
SSL. And while I can (and have) set up SSH, I am unsure how to configure
the other aspects of the security that I have with VSFTP. How can I set
up a chroot for a client who sftps in (so they can go wandering into
some other client's directory), and who can only upload, not download
(or delete) a file in their directory?

Pointers, anyone?
(personally, I want to dictate FTP over SSL, rather than have to support
multiple upload methods)

We're had discussions about this where I work, and decided to go with SFTP rather than FTPS, for a number of reasons.

1) FTPS requires multiple ports (one control, several data), whereas SFTP just requires one.

2) Intelligent firewalls (Checkpoint, IPTables, etc.) can't extract state information from FTPS to know what ports must be open, resulting in having to open a range of ports, even if the individual ports are only opened infrequently.

3) Keys - a lot easier to use public/private key authentication with SSH, as it comes with the tools, and they are simple.

Having said that, there are a few things you can do to lock things down.

1) Use the rssh shell, which only allows the user to perform transfers (http://www.pizzashack.org/rssh)
2) Chroot (http://www.minstrel.org.uk/papers/sftp/builtin/).

You'll need to take rssh into account in the second tutorial!

--
--Matt

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] SFTP question - disable download or delete
From: "Daniel W. Ottey" <dan@bluefrogs.us>

References:

[PLUG] SFTP question - disable download or delete
From: Mike Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] SFTP question - disable download or delete

Next by Date: Re: [PLUG] SFTP question - disable download or delete

Previous by thread: Re: [PLUG] SFTP question - disable download or delete

Next by thread: Re: [PLUG] SFTP question - disable download or delete

Index(es):

Date

Thread