using OpenSSH/SFTP to replace an FTP server securely
IMAP List Administration
lists at y42.org
Mon May 19 11:31:00 EST 2014
Hello Folks,
I'm trying to replace an FTP with several hundred users with something secure.
My requirements:
- transfers must be logged
- users should not have any access to other users' directories
- users should land in a writable directory
- users should be chrooted
I've been trying to get this working with OpenSSH and the internal SFTP server,
but it does not seem possible....
If I chroot each user using "ChrootDirectory /home/%u", there are two problems:
1) the user lands in a directory to which he cannot write
2) I would need hundreds of syslog logging sockets, one in each user's
chrooted environment
if I chroot all users to the same top directory, for example "/home",
which would solve the problem of avoiding hundreds of syslog logging sockets, I
have found no method of having OpenSSH chdir into a user-specific subdirectory
(I would be willing to rely on the standard UNIX security model to restrict
users' access to their own directories).
Have I missed something, or is what I'm trying to achieve simply not possible
using OpenSSH?
I do not really want to get into bind-mounting all sorts of crap from outside
the chroot envonment to get stuff to work, particularly not for hundreds of
users. If "sftp-server" solve the problem in conjunction with a single chroot
top directory, I would be willing to bind-mount (or copy) what it needs, but I
have not found any way of getting sftp-server to satisfy the above requirements.
The platform is CentOS 6.5 (x86_64).
"ssh -V" reports:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
cheers,
Rob
More information about the openssh-unix-dev
mailing list