Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Jul 2009 10:30:08 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        RS Wood <rswood@therandymon.com>
Cc:        freebsdquestions <freebsd-questions@freebsd.org>
Subject:   Re: FTP Server for individual client spaces
Message-ID:  <4A575070.2050904@ibctech.ca>
In-Reply-To: <1247235024.5167.1324439995@webmail.messagingengine.com>
References:  <1247235024.5167.1324439995@webmail.messagingengine.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is a cryptographically signed message in MIME format.

--------------ms010400090000060002030803
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

RS Wood wrote:
> I run a small engineering company* that exchanges large files (CAD,
> etc.) with clients, and I want to keep the docs off my email server by
> setting up a stand alone FTP server where each client can upload and
> download its relevant files.  As such, my own users/employees should be=

> able to reach every client=E2=80=99s FTP space but each client should o=
nly be
> able to reach his own.  As my users finish a doc, they place it in that=

> client=E2=80=99s FTP directory and the client can log in and get it.  A=
s such,
> I don=E2=80=99t want any form of unauthenticated FTP.
>=20
> I=E2=80=99ve tried different combinations of group names and directory
> permissions without success, but chrooting users doesn=E2=80=99t seem t=
o solve
> my problem either, and my two favorite BSD books =E2=80=93 Tiemann et. =
al.
> (Unleashed) and Lucas (Absolute) take the same approach the man pages
> do, in my opinion, which guides you either into an all anonymous system=
,
> or a system suitable for organizations such as software distributors in=

> which clients/users authenticate but then all access the same directory=

> (/pub for example).  I could use some help conceptualizing this.
>=20
> Is the solution ftpchroot? =20

It works for us, for the users who still need FTP access:

# cp /sbin/nologin /sbin/ftp-only
# echo "/sbin/ftp-only" >> /etc/shells

# adduser

homedir =3D=3D /ftp/username
shell   =3D=3D /sbin/ftp-only

I then:

# cd /ftp/username
# rm -r .*

# echo "username" >> /etc/ftpchroot

Now, you can create staff accounts in the same way, but set their home
directory as /ftp. They'll be able to traverse the entire FTP tree from
there. Just ensure that the /ftp directory structure is owned by a group
that your staff accounts are in, and that all of the sub directories are
modded with appropriate permissions.

> If so, it=E2=80=99s not clear how I can chroot
> each potential client into his own directory, as my understanding is
> that all chrooted users wind up at the same place (like /var/ftp/pub). =

> Or is the solution that each client gets access to his own home
> directory;=20

Yes, each to their own home dir.

> if so, how do I ensure my staff has access to each client=E2=80=99s
> home directory? =20

I'm assuming that your staff will be using FTP as well. Simply assign
their home directory to the root FTP directory.

> Lastly, I=E2=80=99ve also been reading up on PureFTP, which
> seems to have some advanced configuration potential (including LDAP
> authentication, something else that interests me) but it=E2=80=99s not =
clear
> that using an alternative product is indicated here.
> This seems like something other organizations must have dealt with, so =
I
> must be missing something fundamental.  Can someone point me in the
> right direction?
>=20
> Finally, I=E2=80=99m aware FTP has inherent security liabilities as pas=
swords
> cross the net in clear text, but I=E2=80=99m not convinced casual users=
 on
> Windows boxes will be able to manage fun stuff like SSH connections or
> alternative software, like SCP. =20

Provide them a link to a client software that uses SFTP. I use WinSCP
(portable), which defaults to SFTP, and provides the server, username
and password fields as soon as it is launched.

Hope I didn't miss anything ;)

Steve


--------------ms010400090000060002030803
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCC
AtowggJDoAMCAQICEEs5xg/J3t77QWJ4SatV1HcwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDUwNzIzMTYxMFoX
DTEwMDUwNzIzMTYxMFowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0G
CSqGSIb3DQEJARYQc3RldmVAaWJjdGVjaC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJSTRAjP1RVa87/mnZn+PBTbENgyhhBJ4rWApmaNcthzRdk2DB/49KrXx3EQP60w
Lj4KU0DFkiGNVj9BnVxRAx/WDXKxGC3uGGEG6gjyWv8KFMWMsH9mL7y7uNow1HueT6pZUf9o
yY8Ewd+01QpGi7FfXOae7lGHhbEwnEJGwz08ytRfLmH0KtEzlZanZZhwDGX5s1kIHnyxdACh
3byXY6Z2bOrx0rcrQHCnHJppxddR60F7igjaMuBFstE51h9XTgXDNKJbglqTug5ghGihNuP6
VsBN7ue62y96UGIE22TvKEcAQ665vQGjHqZeSzZYy+hWNOa27pWFmhlqFjx0x8MCAwEAAaMt
MCswGwYDVR0RBBQwEoEQc3RldmVAaWJjdGVjaC5jYTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3
DQEBBQUAA4GBAMOmjxjp2Xzk6ZHLwTgFDzVhm98RjRT3UXotKjNIR7SgwfWF5wkJrx4I+dXu
ui5ztMEq4bTTRgJ344MqE6uZiZlg+tBIFHZGCJfKdzsX4QuV2jmw0sR5dMaYxG6tlDB0YUMv
gTqzV7ZDpiusTMOZe9pP1PdxFhOcIJXtMQDj5LhuMIIC2jCCAkOgAwIBAgIQSznGD8ne3vtB
YnhJq1XUdzANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl
IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA3MjMxNjEwWhcNMTAwNTA3MjMxNjEwWjBCMR8wHQYD
VQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR8wHQYJKoZIhvcNAQkBFhBzdGV2ZUBpYmN0
ZWNoLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlJNECM/VFVrzv+admf48
FNsQ2DKGEEnitYCmZo1y2HNF2TYMH/j0qtfHcRA/rTAuPgpTQMWSIY1WP0GdXFEDH9YNcrEY
Le4YYQbqCPJa/woUxYywf2YvvLu42jDUe55PqllR/2jJjwTB37TVCkaLsV9c5p7uUYeFsTCc
QkbDPTzK1F8uYfQq0TOVlqdlmHAMZfmzWQgefLF0AKHdvJdjpnZs6vHStytAcKccmmnF11Hr
QXuKCNoy4EWy0TnWH1dOBcM0oluCWpO6DmCEaKE24/pWwE3u57rbL3pQYgTbZO8oRwBDrrm9
AaMepl5LNljL6FY05rbulYWaGWoWPHTHwwIDAQABoy0wKzAbBgNVHREEFDASgRBzdGV2ZUBp
YmN0ZWNoLmNhMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAw6aPGOnZfOTpkcvB
OAUPNWGb3xGNFPdRei0qM0hHtKDB9YXnCQmvHgj51e66LnO0wSrhtNNGAnfjgyoTq5mJmWD6
0EgUdkYIl8p3OxfhC5XaObDSxHl0xpjEbq2UMHRhQy+BOrNXtkOmK6xMw5l72k/U93EWE5wg
le0xAOPkuG4wggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT
EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp
dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG
9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN
MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f
6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef
kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7
AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw
Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E
BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG
SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG
CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEEs5xg/J3t77QWJ4SatV
1HcwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMDkwNzEwMTQzMDA4WjAjBgkqhkiG9w0BCQQxFgQUFuM/u4TzWmamc5lzIRfXLpOU
1mQwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0Fi
eEmrVdR3MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAhBLOcYPyd7e+0FieEmrVdR3MA0GCSqGSIb3DQEBAQUABIIB
AAKGa/9686nY9bvWdXF92BlTHrHHBVhJ4zSzDxTVLysAdjeAByqrAIqjlEmdIeQ+aQG9ryUU
tfnzbU3Ld0WscZnQZ81UxrP7T/5JqjTEasnADlaWrQpl61+lOOx2x/BOFPeUW57bt2th58Xv
Q9kQWfBJi3gtU3L5X10Ptl17TKxtXK4v+E7t6+KjIiq8rSAlspcCOzmnVyQMvmzPitq1UTVn
fDk1Jl5BmNk2VVyuYnuRi6D51BXaqgwFik5iAJ/UwOo+L8do7cnZvk0wwI6zF8LUIy9v8Y4q
aQXxxWWF3oMie9o7t2Up1TESXEy1CnZmtd0979Ivwov/CCX6Rp0dkIAAAAAAAAA=
--------------ms010400090000060002030803--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4A575070.2050904>