[BlueOnyx:02036] Re: How to enable sftp without giving users full access to the system.
Michael Stauber
mstauber at blueonyx.it
Wed Aug 12 07:19:42 -05 2009
Hi Sheldon,
> I've got a server which is only being used for ftp and I've just been asked
> to add a new sftp site for a department. I've enabled Shell access but
> while testing I can browse the entire system all the way to / and into any
> users data. How do I enable sftp access without giving the users full
> access to the system?
Yeah, shell access shouldn't be granted to regular users (or siteAdmins).
That's way to problematic and has too many security implications.
FTP does a chroot. So if a user logs in, he can only see his own files
folders. If a siteAdmin FTP's in, he can see pretty much see most of the files
and folders that belong to his site. That should be good enough for most.
Of course regular FTP is not encrypted. Hence it may not be the most
desireable solution.
BlueOnyx uses ProFTPd and that indeed does support SFTP. We have it enabled
out of the box.
Make sure your server is fully updated (one of the recent updates included a
newer ProFTPd) and you don't need to do anything special to get SFTP to work.
Just connect to the box with an SFTP capable FTP client. If I have to use
Windows for FTP (happens rarely enough) I use FlashFXP, which (among other
things) supports SFTP.
Some clients (like FlahFXP) need to know which "SSL method" or which "SSL
authentication method" they should use when they connect to the server. Set
this to "Auth SSL" or "Auth TLS", which our ProFTPd supports out of the box.
Other than that you don't need to do anything special.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list