"ssh" type ftp server/client for freebsd

[LuckyTaxi]

Now I gotta install an ftp program for someone to upload her students' web files onto the server. I would use putty's version of ftp, but I need a gui for her to use.

Is pureftp pretty secure? As for the client, she uses cuteftp, but I would like to steer her in another direction.

 

[Need4Speed]

filezilla is opensource and gives you a nice gui for sftp

 

[Need4Speed]

pureftp and proftpd are decent, but ftp and secure in the same scentence is an oxymoron....everything is clear text unless you tunnel it through ssh or use an ssl wrapper

 

[LuckyTaxi]

she's got a windoze box at home. I'll assign her a very hard password or something.
With pureftpd, I wanna only allow her and myself to log in. She should only be able to see the documentroot to
the webserver and her home directory.

i assume this can be easily done

 

[Need4Speed]

yeah...it can be done.

filezilla is a windows app for what its worth. she'd be able to see the entire file system, but of course she would only have access to her own home dir....

 

[Need4Speed]

youll prolly need to use symlinks if the webroot and her home dir are not under the same ftp root

 

[LuckyTaxi]

Hmmm ... yea i may have to.
Web files go into /usr/local/www/data/students
and her home DIr is /home/username

So I should set the ftp root to what? Mind you I would like to log in as the super user and do what I please.

 

[Soybomb]

I have some ftp users on a pureftp server but none of them are system users and they're all chrooted. I hate ftp but if they're already familiar with ftp then its better for them. If they don't have software though and you're going to have to teach them anyway I'd ditch ftp and just use sftp/scp. Windows users could use the freeware winscp to upload files to their webdirectory http://winscp.vse.cz/eng/ If they don't have system logins you can install /usr/ports/shells/scponly and set that as their shell so they still don't have execution rights, but can scp.

/usr/local/www/data/students
I hope thats a symlink because if you update apache from ports its doing to nuke everything in /usr/local/www/ just as a warning

 

[LuckyTaxi]

/usr/local/www/data/students
I hope thats a symlink because if you update apache from ports its doing to nuke everything in /usr/local/www/ just as a warning

I'll stick with ftp for now, but I only want her and I to log in. Still reading the documentation!

Oh crud ... I better move the files off of there then.

 

[Need4Speed]

1. never have a super user via ftp...if its compromised, youre srewed. use sftp/ssh instead
2. i have my ftp root at /var/ftp with symlinks to web and home dirs

edit...btw: i use proftpd

 

[LuckyTaxi]

hmmmm ... true ... will do what you suggested. oh yea, if the user doesnt have the ability to login locally he/she can't log in via ftp, correct?

 

[Soybomb]

Btw check out your pure-ftpd.conf file (if thats what you're using), if set this like it should chroot everyone except those in the wheel group

# Cage in every user in his home directory

ChrootEveryone no



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

TrustedGID 0

 

[Need4Speed]

no..nologin applies only to shell login...not ftp.

many of my users have /sbin/nologin and only use ftp.

 

[LuckyTaxi]

Originally posted by: Need4Speed
no..nologin applies only to shell login...not ftp.

many of my users have /sbin/nologin and only use ftp.

Yea ... I was on the wrong server!!!! You are correct.

 

[LuckyTaxi]

Originally posted by: Soybomb
Btw check out your pure-ftpd.conf file (if thats what you're using), if set this like it should chroot everyone except those in the wheel group

# Cage in every user in his home directory

ChrootEveryone no



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

TrustedGID 0

hmmm ... didn't work! I logged in as this one user who doesn't belong in the wheel group and I was able to log in and access other folders.

pure-ftpd was originally run w/o the .conf file. I found it and copied it from the .sample is orginally was saved as and rebooted the server. Is there an option I have to run with it so it will read from the configuration file?

 

[Need4Speed]

this is soybomb's show now...since my interactivity with pureftp is very limited

 

[n0cmonkey]

securefx is a very easy (but not free) sftp/scp gui.

 

[LuckyTaxi]

Originally posted by: Need4Speed
this is soybomb's show now...since my interactivity with pureftp is very limited

just read briefly about proftpd ... looks like it's easier to setup. directives similar to apache?
i like this ...

 

[Need4Speed]

yep...proftpd is the shiznit IMHO id be happy to help with that

 

[Soybomb]

Here's my init script for pure. I tried pro and just didn't find the documentation up to what I wanted (look up sql auth for example):

asok# cat /usr/local/etc/rc.d/pureftpd.sh
#!/bin/sh

case "$1" in

start)
/bin/mkdir -p /var/run/pure-ftpd
if [ -x /usr/local/sbin/pure-ftpd ]; then
/usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf & echo -n ' pure-ftpd'
fi
;;

stop)
killall pure-ftpd
;;
*)
echo "$0 start | stop"
;;

esac