> On 16. Sep 2020, at 20:08, sthaug_at_nethelp.no wrote: > > >> >> FTP is (becoming?) a legacy protocol, and I think it may be time to >> remove the ftp server from the FreeBSD base system - with the recent >> security advisory for ftpd serving as a reminder. >> >> I've proposed adding a deprecation notice to the man page in >> https://reviews.freebsd.org/D26447 to start this off. There are a >> number of ftp servers in ports, and if we're going to remove the base >> system one we can create a port for it first, as well. >> >> Any comments or concerns, please follow up in the code review or in email here. > > Could we, at the same time, improve the documentation for sftp? I had > to move an FTP server (with one chrooted user) from FTP to sftp today. > I did: > > 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. > 2. Patch sshd config as follows: > > --- etc/ssh/sshd_config.orig 2018-06-16 22:04:20.868762000 +0200 > +++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200 > _at__at_ -112,7 +112,7 _at__at_ > #Banner none > > # override default of no subsystems > -Subsystem sftp /usr/libexec/sftp-server > +Subsystem sftp internal-sftp -l INFO > > # Example of overriding settings on a per-user basis > #Match User anoncvs > _at__at_ -120,3 +120,8 _at__at_ > # AllowTcpForwarding no > # PermitTTY no > # ForceCommand cvs server > +Match User sftp > +ChrootDirectory /usr/local/ftp/sftp > +ForceCommand internal-sftp -l INFO > +X11Forwarding no > +AllowTcpForwarding no > > 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. > 4. Create /usr/local/ftp/sftp/dev and add the following line to > /etc/rc.conf: > > syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log" > > Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error > message: "Received message too long 1416128883". Googling that one > eventually led me to the internal-sftp subsystem and the rest of the > sshd_config changes. The sshd_config man page is good, but I couldn't > find anything about arguments (e.g. -l) for internal-sftp. In case it helps, I documented an example sftp setup as part of the paperless port's man page last year: https://svnweb.freebsd.org/ports/head/deskutils/py-paperless/files/paperless.7.in?revision=521891&view=co -m > > Steinar Haug, Nethelp consulting, sthaug_at_nethelp.no > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"Received on Wed Sep 16 2020 - 16:30:33 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:25 UTC