[BlueOnyx:02108] Re: How to enable sftp without giving users full access to the system.

Sheldon Pollard sheldon.pollard at gmail.com
Fri Aug 14 05:03:35 -05 2009 

Hi Michael,
                 I've done the YUM update and ProFTPd is now (Aug 13
12:42:03 Updated: proftpd-1.3.2a-1BX3.i386) however when I try to connect
using FlashFXP or psftp I get:

WinSock 2.0 -- OpenSSL 0.9.8i 15 Sep 2008
[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
[R] Connected to x.x.32.20
[R] 220 FTP Server ready.
[R] AUTH SSL
[R] 234 AUTH SSL successful
[R] Connected. Negotiating SSL session..
[R] Connection failed (Connection lost)
[R] Delaying for 120 seconds before reconnect attempt #1
[R] Retry attempt Aborted
[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
[R] Connected to x.x.32.20
[R] 220 FTP Server ready.
[R] AUTH SSL
[R] 234 AUTH SSL successful
[R] Connected. Negotiating SSL session..
[R] Connection failed (Connection lost)
[R] Delaying for 120 seconds before reconnect attempt #1
[R] Retry attempt Aborted
[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
[R] Connected to x.x.32.20
[R] 220 FTP Server ready.
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] Connection failed (Connection lost)
[R] Delaying for 120 seconds before reconnect attempt #1
[R] Retry attempt Aborted
[R] Connecting to x.x.32.20 -> IP=x.x.32.20 PORT=21
[R] Connected to x.x.32.20
[R] 220 FTP Server ready.
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] Connection failed (Connection lost)
[R] Delaying for 120 seconds before reconnect attempt #1

OR psftp.exe
C:\Program Files\PuTTY>psftp.exe -v
psftp: no hostname specified; use "open host.name" to connect
psftp> open joe.com
Looking up host "aem.qif.sita.aero"
Connecting to x.x.32.20 port 22
Server version: SSH-2.0-OpenSSH_4.3
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 2048 84:69:94:5e:48:dd:52:15:72:e7:25:d9:f7:9c:0d:53
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 0 SSH-2 keys
login as: joe
joe at joe.com's password:
Sent password
Access granted
Opened channel for session
Started a shell/command
Server sent command exit status 0
Connected to aem.qif.sita.aero
Disconnected: All channels closed
Fatal: unable to initialise SFTP: could not connect
psftp>

/var/log/secure says
Aug 14 09:57:56 lont02a011vl sshd[23524]: pam_unix(sshd:session): session
opened for user joe by (uid=0)
Aug 14 09:57:56 lont02a011vl sshd[23530]: subsystem request for sftp
Aug 14 09:57:56 lont02a011vl sshd[23524]: pam_unix(sshd:session): session
closed for user joe


However I can still connect to the uses I've given shell access...:-(

2009/8/12 Michael Stauber <mstauber at blueonyx.it>

> Hi Sheldon,
>
> > I've got a server which is only being used for ftp and I've just been
> asked
> > to add a new sftp site for a department.  I've enabled Shell access but
> > while testing I can browse the entire system all the way to / and into
> any
> > users data.  How do I enable sftp access without giving the users full
> > access to the system?
>
> Yeah, shell access shouldn't be granted to regular users (or siteAdmins).
> That's way to problematic and has too many security implications.
>
> FTP does a chroot. So if a user logs in, he can only see his own files
> folders. If a siteAdmin FTP's in, he can see pretty much see most of the
> files
> and folders that belong to his site. That should be good enough for most.
>
> Of course regular FTP is not encrypted. Hence it may not be the most
> desireable solution.
>
> BlueOnyx uses ProFTPd and that indeed does support SFTP. We have it enabled
> out of the box.
>
> Make sure your server is fully updated (one of the recent updates included
> a
> newer ProFTPd) and you don't need to do anything special to get SFTP to
> work.
>
> Just connect to the box with an SFTP capable FTP client. If I have to use
> Windows for FTP (happens rarely enough) I use FlashFXP, which (among other
> things) supports SFTP.
>
> Some clients (like FlahFXP) need to know which "SSL method" or which "SSL
> authentication method" they should use when they connect to the server. Set
> this to "Auth SSL" or "Auth TLS", which our ProFTPd supports out of the
> box.
>
> Other than that you don't need to do anything special.
>
> --
> With best regards
>
> Michael Stauber
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>



-- 
S Pollard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090814/5bff6565/attachment.html>

More information about the Blueonyx mailing list