Secure ProFTPD

Justec · November 11, 2005, 2:12pm

Well there are two different things, SFTP and FTP over SSL.

SFTP is availble already you just have to give shell access and use your linux username / password (port 22).

FTP over SSL is what I think you are referring to right? I thought that was already included by default now.

system · November 11, 2005, 2:16pm

No mod_tls in there at all on my installation, and no updates listed available for proftp.

I’m generally uncomfortable providing any level of shell access to users. One does have it, but mostly because I promised him a secure channel for his work on the last server.

Justec · November 11, 2005, 2:31pm

For some reason I thought Iworx did this already, but I guess not.

I agree completely, but I figured out a way that works on RH9 to allow only SFTP access with out regular shell access. Just set the user shell from /sbin/nologin to /usr/libexec/openssh/sftp-server for the user you want to give SFTP access to.

system · November 11, 2005, 5:50pm

Ah, got it. Tested and works.

For those who would like to simplify this, add:

/usr/libexec/openssh/sftp-server

to /etc/shells. Refresh the Shell Accounts page, and it will be available to users. Set the shell appropriately on a trusted account and test using SFTP (listed as FTP over SSH or SSH2 on some clients).

This makes me much happier. Thanks.

Maybe a wiki might be useful for handling documentation of little things like this?

IWorx-Chris · November 12, 2005, 12:45am

For some reason I thought Iworx did this already, but I guess not.

We did, but it may not be built for all systems. The SRPM has the updates I believe. Martin, if you’d like to open a ticket I can check out the problems you had after building.

Chris

system · November 16, 2005, 6:30pm

Not at the moment. I need to get a remote access card in the server before I take that one on again – the last time it happened, no TCP connections could be completed. I’m sure you can understand why I’m a little skittish.

Justec · February 8, 2006, 12:27pm

How would I go about adding in mod_tls on a CentOS 4.2 x64 system?

rpmbuild --rebuild --with cnt4064 --with mod_tls http://updates.interworx.info/iworx/SRPMS/proftpd-1.2.10-101.iworx.src.rpm

Does not build it and errors out.

IWorx-Chris · February 9, 2006, 9:22am

Justin,

Try: --with rhe4x instead of --with cnt4064

Chris

Justec · February 9, 2006, 12:09pm

Chris,

rhe4x worked! Thanks.

Is that something that you setup when you make the RPM? I have only used RPMs, never made one so its a bit of a mystery to me.

I assume that when its a source RPM you can have some kind of if statement in the build part that check the --with “distro”, where distro is just a varaible that SRPM author makes.

Am in the ball park?

IWorx-Chris · February 18, 2006, 11:26pm

Am in the ball park?

yep, that’s all there is to it