[BlueOnyx:05783] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Jeff Jones jeffrhysjones at mac.com
Thu Nov 11 16:06:44 -05 2010 

Hi Chuck,

Ah yes, sorry, when I say SFTP is not supported with BX, I am talking about the SFTP module 'mod_sftp' for ProFTP. As I said in my last message, the SFTP/Shell/openSSL service you are using is *not* the same as the SFTP module for ProFTP. It's nothing to do with it whatsoever. 

Mod_FTP for ProFTP works just like your normal FTP, drops you into the user home, with a fully secured connection.

I covered the differences between the two types of secure connection for ProFTP on my last post, pointing out pros / cons of each method.

Sorry if I've not been 100% clear!

Cheers,

Jeff

Sent from my iPhone

On 11 Nov 2010, at 19:46, Chuck Tetlow <chuck at tetlow.net> wrote:

> 
> > Hi all, 
> > 
> > Just thought I would clarify some stuff about mod_sftp in order to set the record straight - hopefully it will dispel some myths / confusions about it on this list.... 
> > 
> > First of all - quick recap: 
> > 
> > SFTP = SSH File Transfer Protocol - not supported by BX - works *like* SSH. Single channel for commands and data. 
> > FTPS = FTP over SSL/TLS - supported by BX - works *like* FTP. Two channels, one command, one data. 
> 
> 
> Well, 
> 
> I hate to contradict - but SFTP is supported by BX right out of the box! 
> 
> And I've just tested it again, to be sure.  I turned off FTP for a particular domain, then turned off the FTP server all together.  A "netstat -na" check of the server confirmed it not have ports 20 or 21 open. 
> 
> Then I went to a Winblows box and fired up CoreFTP Lite.  Told it to connect to the server, and checkmarked the "SSH/SFTP" box.  Sure enough - it worked fine. 
> 
> So as long as you've told the BX configuration for that virtual site to "Allow Shell Access" - SFTP works fine.  
> 
> But unfortunately, there's still the controls issue.  Using FTP, I just confirmed that a connection drops me into the "/web" directory for that virtual site.  And the jail won't allow me to go up past the root directory of that virtual website.  
> 
> But when you use SFTP - the top line of the CoreFTP indicates I'm in the /home/.sites/28/site1/.users/145/USERNAME/ directory.  And its right, that's where I am.  Also, it unfortunately allows me to go up-level all the way to the / root directory of the operating system, instead of only to the root of the virtual directory.  
> 
> This is the problem with using SFTP - a user can see not only his own virtual website, he can see the filesystem of the server, and he can see into other virtual websites.  And if that other website possibly doesn't have the correct permissions on their files - he can download, open, and possibly even modify another virtual websites files. 
> 
> That's the ABSOLUTE NO-NO that can't be allowed.  So Shell access it not turned on for our users, and we don't risk potential unauthorized access. 
> 
> 
> 
> Chuck 
> 
> 
> 
> P.S. - For those command-line users who are wondering what we're talking about - when you hear SFTP, think SCP.  Its the same thing, a file transfer over SSH. 
> 
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101111/065aceaa/attachment.html>

More information about the Blueonyx mailing list