FTP Server for individual client spaces
I run a small engineering company* that exchanges large files (CAD, etc.) with clients, and I want to keep the docs off my email server by setting up a stand alone FTP server where each client can upload and download its relevant files. As such, my own users/employees should be able to reach every client’s FTP space but each client should only be able to reach his own. As my users finish a doc, they place it in that client’s FTP directory and the client can log in and get it. As such, I don’t want any form of unauthenticated FTP. I’ve tried different combinations of group names and directory permissions without success, but chrooting users doesn’t seem to solve my problem either, and my two favorite BSD books – Tiemann et. al. (Unleashed) and Lucas (Absolute) take the same approach the man pages do, in my opinion, which guides you either into an all anonymous system, or a system suitable for organizations such as software distributors in which clients/users authenticate but then all access the same directory (/pub for example). I could use some help conceptualizing this. Is the solution ftpchroot? If so, it’s not clear how I can chroot each potential client into his own directory, as my understanding is that all chrooted users wind up at the same place (like /var/ftp/pub). Or is the solution that each client gets access to his own home directory; if so, how do I ensure my staff has access to each client’s home directory? Lastly, I’ve also been reading up on PureFTP, which seems to have some advanced configuration potential (including LDAP authentication, something else that interests me) but it’s not clear that using an alternative product is indicated here. This seems like something other organizations must have dealt with, so I must be missing something fundamental. Can someone point me in the right direction? Finally, I’m aware FTP has inherent security liabilities as passwords cross the net in clear text, but I’m not convinced casual users on Windows boxes will be able to manage fun stuff like SSH connections or alternative software, like SCP. In my experience, the “modern” windows user accesses FTP sites using Internet Explorer, which is tremendously underwhelming. As such I am choosing a stand alone box on which no other services are running (mail, X, etc.). Am I right? Or is there some better method that won’t be too complex for the casual Windows user? Thanks advance for the pointers. Randy -- www.therandymon.com *Actually, this is all hypothetical, but I’m learning server admin so I can cross this bridge when the time comes, and having a lot of fun, naturally, since right now my screw ups don’t count! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FTP Server for individual client spaces
On Friday 10 July 2009 16:10:24 RS Wood wrote: I run a small engineering company* that exchanges large files (CAD, etc.) with clients, and I want to keep the docs off my email server by setting up a stand alone FTP server where each client can upload and download its relevant files. As such, my own users/employees should be able to reach every client’s FTP space but each client should only be able to reach his own. As my users finish a doc, they place it in that client’s FTP directory and the client can log in and get it. As such, I don’t want any form of unauthenticated FTP. [snip] Is the solution ftpchroot? If so, it’s not clear how I can chroot each potential client into his own directory, as my understanding is that all chrooted users wind up at the same place (like /var/ftp/pub). Or is the solution that each client gets access to his own home directory; if so, how do I ensure my staff has access to each client’s home directory? I haven't tried this, but man ftpd.conf suggests something along the lines of: chroot chroot /some/path/%u where the second chroot is the ftp class, and %u will be expanded to the username. Make sure all your external users are in ftp class chroot (by putting their usernames in /etc/ftpchroot), and make /some/path group-owned and group-readable by a group all your staff are in (the group ownership of a directory automatically propagates to new directories created below it). Let us know how it goes! Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FTP Server for individual client spaces
RS Wood wrote: I run a small engineering company* that exchanges large files (CAD, etc.) with clients, and I want to keep the docs off my email server by setting up a stand alone FTP server where each client can upload and download its relevant files. As such, my own users/employees should be able to reach every client’s FTP space but each client should only be able to reach his own. As my users finish a doc, they place it in that client’s FTP directory and the client can log in and get it. As such, I don’t want any form of unauthenticated FTP. I’ve tried different combinations of group names and directory permissions without success, but chrooting users doesn’t seem to solve my problem either, and my two favorite BSD books – Tiemann et. al. (Unleashed) and Lucas (Absolute) take the same approach the man pages do, in my opinion, which guides you either into an all anonymous system, or a system suitable for organizations such as software distributors in which clients/users authenticate but then all access the same directory (/pub for example). I could use some help conceptualizing this. Is the solution ftpchroot? It works for us, for the users who still need FTP access: # cp /sbin/nologin /sbin/ftp-only # echo /sbin/ftp-only /etc/shells # adduser homedir == /ftp/username shell == /sbin/ftp-only I then: # cd /ftp/username # rm -r .* # echo username /etc/ftpchroot Now, you can create staff accounts in the same way, but set their home directory as /ftp. They'll be able to traverse the entire FTP tree from there. Just ensure that the /ftp directory structure is owned by a group that your staff accounts are in, and that all of the sub directories are modded with appropriate permissions. If so, it’s not clear how I can chroot each potential client into his own directory, as my understanding is that all chrooted users wind up at the same place (like /var/ftp/pub). Or is the solution that each client gets access to his own home directory; Yes, each to their own home dir. if so, how do I ensure my staff has access to each client’s home directory? I'm assuming that your staff will be using FTP as well. Simply assign their home directory to the root FTP directory. Lastly, I’ve also been reading up on PureFTP, which seems to have some advanced configuration potential (including LDAP authentication, something else that interests me) but it’s not clear that using an alternative product is indicated here. This seems like something other organizations must have dealt with, so I must be missing something fundamental. Can someone point me in the right direction? Finally, I’m aware FTP has inherent security liabilities as passwords cross the net in clear text, but I’m not convinced casual users on Windows boxes will be able to manage fun stuff like SSH connections or alternative software, like SCP. Provide them a link to a client software that uses SFTP. I use WinSCP (portable), which defaults to SFTP, and provides the server, username and password fields as soon as it is launched. Hope I didn't miss anything ;) Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: FTP Server for individual client spaces
In the last episode (Jul 10), Steve Bertrand said: RS Wood wrote: Finally, I'm aware FTP has inherent security liabilities as passwords cross the net in clear text, but I'm not convinced casual users on Windows boxes will be able to manage fun stuff like SSH connections or alternative software, like SCP. Provide them a link to a client software that uses SFTP. I use WinSCP (portable), which defaults to SFTP, and provides the server, username and password fields as soon as it is launched. WinSCP is good. Other nice free SFTP clients are FileZilla (has Windows, OS X and Unix versions) and muCommander (Java so it will run on anything). http://www.winscp.net/ http://www.filezilla-project.org/ http://www.mucommander.com/ -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FTP Server for individual client spaces
On Fri, Jul 10, 2009 at 03:10:24PM +0100, RS Wood typed: I run a small engineering company* that exchanges large files (CAD, etc.) with clients, and I want to keep the docs off my email server by setting up a stand alone FTP server where each client can upload and download its relevant files. As such, my own users/employees should be able to reach every client???s FTP space but each client should only be able to reach his own. As my users finish a doc, they place it in that client???s FTP directory and the client can log in and get it. As such, I don???t want any form of unauthenticated FTP. Do your employees need access through the same ftp server? You could serve them any other way (e.g. internally export the entire ftp tree as an NFS or CIFS share). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
