Hi Michael,<br> I've done the YUM update and ProFTPd is now (Aug 13 12:42:03 Updated: proftpd-1.3.2a-1BX3.i386) however when I try to connect using FlashFXP or psftp I get:<br><br>WinSock 2.0 -- OpenSSL 0.9.8i 15 Sep 2008<br>
[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21<br>[R] Connected to x.x.32.20<br>[R] 220 FTP Server ready.<br>[R] AUTH SSL<br>[R] 234 AUTH SSL successful<br>[R] Connected. Negotiating SSL session..<br>[R] Connection failed (Connection lost)<br>
[R] Delaying for 120 seconds before reconnect attempt #1<br>[R] Retry attempt Aborted<br>[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21<br>[R] Connected to x.x.32.20<br>[R] 220 FTP Server ready.<br>[R] AUTH SSL<br>
[R] 234 AUTH SSL successful<br>[R] Connected. Negotiating SSL session..<br>[R] Connection failed (Connection lost)<br>[R] Delaying for 120 seconds before reconnect attempt #1<br>[R] Retry attempt Aborted<br>[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21<br>
[R] Connected to x.x.32.20<br>[R] 220 FTP Server ready.<br>[R] AUTH TLS<br>[R] 234 AUTH TLS successful<br>[R] Connected. Negotiating TLSv1 session..<br>[R] Connection failed (Connection lost)<br>[R] Delaying for 120 seconds before reconnect attempt #1<br>
[R] Retry attempt Aborted<br>[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21<br>[R] Connected to x.x.32.20<br>[R] 220 FTP Server ready.<br>[R] AUTH TLS<br>[R] 234 AUTH TLS successful<br>[R] Connected. Negotiating TLSv1 session..<br>
[R] Connection failed (Connection lost)<br>[R] Delaying for 120 seconds before reconnect attempt #1<br><br>OR psftp.exe<br>C:\Program Files\PuTTY>psftp.exe -v<br>psftp: no hostname specified; use "open <a href="http://host.name">host.name</a>" to connect<br>
psftp> open <a href="http://joe.com">joe.com</a><br>Looking up host "<a href="http://aem.qif.sita.aero">aem.qif.sita.aero</a>"<br>Connecting to x.x.32.20 port 22<br>Server version: SSH-2.0-OpenSSH_4.3<br>We claim version: SSH-2.0-PuTTY_Release_0.60<br>
Using SSH protocol version 2<br>Doing Diffie-Hellman group exchange<br>Doing Diffie-Hellman key exchange with hash SHA-1<br>Host key fingerprint is:<br>ssh-rsa 2048 84:69:94:5e:48:dd:52:15:72:e7:25:d9:f7:9c:0d:53<br>Initialised AES-256 SDCTR client->server encryption<br>
Initialised HMAC-SHA1 client->server MAC algorithm<br>Initialised AES-256 SDCTR server->client encryption<br>Initialised HMAC-SHA1 server->client MAC algorithm<br>Pageant is running. Requesting keys.<br>Pageant has 0 SSH-2 keys<br>
login as: joe<br><a href="mailto:joe@joe.com">joe@joe.com</a>'s password:<br>Sent password<br>Access granted<br>Opened channel for session<br>Started a shell/command<br>Server sent command exit status 0<br>Connected to <a href="http://aem.qif.sita.aero">aem.qif.sita.aero</a><br>
Disconnected: All channels closed<br>Fatal: unable to initialise SFTP: could not connect<br>psftp><br><br>/var/log/secure says<br>Aug 14 09:57:56 lont02a011vl sshd[23524]: pam_unix(sshd:session): session opened for user joe by (uid=0)<br>
Aug 14 09:57:56 lont02a011vl sshd[23530]: subsystem request for sftp<br>Aug 14 09:57:56 lont02a011vl sshd[23524]: pam_unix(sshd:session): session closed for user joe<br><br><br>However I can still connect to the uses I've given shell access...:-(<br>
<br><div class="gmail_quote">2009/8/12 Michael Stauber <span dir="ltr"><<a href="mailto:mstauber@blueonyx.it">mstauber@blueonyx.it</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Sheldon,<br>
<div class="im"><br>
> I've got a server which is only being used for ftp and I've just been asked<br>
> to add a new sftp site for a department. I've enabled Shell access but<br>
> while testing I can browse the entire system all the way to / and into any<br>
> users data. How do I enable sftp access without giving the users full<br>
> access to the system?<br>
<br>
</div>Yeah, shell access shouldn't be granted to regular users (or siteAdmins).<br>
That's way to problematic and has too many security implications.<br>
<br>
FTP does a chroot. So if a user logs in, he can only see his own files<br>
folders. If a siteAdmin FTP's in, he can see pretty much see most of the files<br>
and folders that belong to his site. That should be good enough for most.<br>
<br>
Of course regular FTP is not encrypted. Hence it may not be the most<br>
desireable solution.<br>
<br>
BlueOnyx uses ProFTPd and that indeed does support SFTP. We have it enabled<br>
out of the box.<br>
<br>
Make sure your server is fully updated (one of the recent updates included a<br>
newer ProFTPd) and you don't need to do anything special to get SFTP to work.<br>
<br>
Just connect to the box with an SFTP capable FTP client. If I have to use<br>
Windows for FTP (happens rarely enough) I use FlashFXP, which (among other<br>
things) supports SFTP.<br>
<br>
Some clients (like FlahFXP) need to know which "SSL method" or which "SSL<br>
authentication method" they should use when they connect to the server. Set<br>
this to "Auth SSL" or "Auth TLS", which our ProFTPd supports out of the box.<br>
<br>
Other than that you don't need to do anything special.<br>
<br>
--<br>
With best regards<br>
<br>
Michael Stauber<br>
<br>
_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@blueonyx.it">Blueonyx@blueonyx.it</a><br>
<a href="http://www.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://www.blueonyx.it/mailman/listinfo/blueonyx</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>S Pollard<br>