# secure ftp? for select number of users

## Matrixmonkey

i need to set up a ftp server but only ftp   :Twisted Evil:  NO shell access  :Evil or Very Mad: 

to there home dir (well it was in www dir but moved it now  :Wink:  )

ive been looking up proftpd+msql but no joy

and thought about  adding users with  the  option  -s /bin/false

but that would still leave passwords on the system

so any idea's would leave me for ever in your debt 

 :Smile:    Matrixmonkey

----------

## bunsen

openssh ships with sftp. I've not used it, so can't say whether it's of any use to you.

----------

## Matrixmonkey

ahhh forgot to say  the users are windows users and thick ones at that  :Very Happy:  so would need a windows client

 :Laughing:   :Laughing:   :Laughing:   :Laughing:   :Laughing: 

keep trying to turn them to the  light side of the force but  :Sad:  no joy

the dark side is stronger   :Twisted Evil: 

----------

## jonnymalm

sftp that ships with openssh is the way to go.  

There is a great windows client called WinSCP that is easy to use for all of your thick windows users.  it is opensource/freeware and you can get it at http://winscp.sourceforge.net/eng/

I have never setup openssh without ssh shell access but I am sure that you can do it.

----------

## echo6

So what is the answer?

How do you allow an account for sftp access and disable ssh access?

----------

## petterg

You're not telling why you want this, but I'm guessing you want users to only have access to /home and subdirs of /home.

(Block access to all other files in the system.)

If my guessing is correct, openssh 3.7.1_p2-r2 with chroot patch is the way to go. (I've had no success on making the chroot patch work with 3.8.* and 3.9.*!)

This will not stop users from having shell access, but it will stop them from having access to other files. You are also controlling what binarys they are allowed to run. To make sftp work they need access to ls, cp, mv, rm, mkdir, rmdir and bash.

The downside of this is that users will still be able to create ssh tunels to the server, so if your goal is to protect other computers on the local network this will be the wrong way to go. (Unless there are some way to block tunnelling that I'm not aware of.)

Regarding windows client: Check out Filezilla.

----------

## echo6

I simply want users to be able to use WinSCP to upload/download files etc,  but I don't want them to have access to a shell on the server.

I was looking for a simple solution to just possibly allow access to those commands required for ftp without users having access to the other commands.

Oh well,  now looking at grsecurity and access control lists as a possible way to go,  I guess there's no simple solution.   I already have the gentoo-hardened kernel compiled and the server is up and running may as well go for it  :Smile: 

----------

## hanj

If sFTP isn't an option for you.. I would recommend vsftp for an FTP server.

As to your other question.. you can set up users without a shell...

```
useradd -s /bin/false -m -g usergroup username
```

I would also add another layer if possible restricting access to port 21 from 'trusted networks' via iptables. Since you have small amount of users connecting.. you can limit it only to those IPs. I understand that they may be coming from large networks/DHCP.. and don't have a static, but you could open it to the netblock. This is still restricting it considerably. It all depends on how many users are using DHCP vs Static. If the majority is static.. then I would say it is worth it.

hope this helps

hanji

----------

## echo6

Majority of access will be from unknown IP addresses,  so using hosts.allow or configured iptable is not an option.

I currently have vsftpd but was hoping to use the added security of ssh.   Setting up users without a shell disables sftp/scp access  :Sad: 

Oh! another thing to remember when using /bin/false it requires an entry in /etc/shells for this to work with vsftp.

----------

## hanj

Looks like vsftpd2 supports SSL.. maybe something to look at..

https://forums.gentoo.org/viewtopic.php?t=201071

hanji

----------

## petterg

I figured out how to make the chroot patch work with openssh-3.9. It need some more files in the jail than the 3.7 needed:

/etc/pam.d

/etc/security

/lib/libpam*

(I've tried this with openssh-3.9_p1 only.)

----------

## echo6

 *hanj wrote:*   

> Looks like vsftpd2 supports SSL.. maybe something to look at..

 

Ah!..good point.

Thanks.

----------

## sbonnell

You may have a look at rssh. It's used to restrict the access to ssh functions.

Regards,

Stephane

----------

## Matrixmonkey

the answer  :Very Happy: 

when my sister was on holiday  :Very Happy:  i stole her pc and install gentoo on it  :Very Happy: 

mawwwaaahhh  :Very Happy:  nice and secure server and client now  :Very Happy: 

----------

## echo6

 *sbonnell wrote:*   

> You may have a look at rssh. It's used to restrict the access to ssh functions.
> 
> Regards,
> 
> Stephane

 

Excellent,  thanks  :Smile: 

----------

## Jaxom

I use vsftpd, I read in the man pages about changing some things around to allow anonymous logons without passwords.  And you can set quite a bit of other security level stuff in it as well.  Hence the name Very Secure FTP Daemon  :Smile: 

----------

## badchien

 *echo6 wrote:*   

> So what is the answer?
> 
> How do you allow an account for sftp access and disable ssh access?

 

Someone told me that this works to allow sftp only, not ssh-- change their shell like this:

```

chsh -s /usr/lib/misc/sftp-server someuser

```

----------

## echo6

 *badchien wrote:*   

> 
> 
> ```
> 
> chsh -s /usr/lib/misc/sftp-server someuser
> ...

 

Of course!! yes very simple,  I'll give that a try,  many thanks  :Smile: 

----------

## To

 *Jaxom wrote:*   

> I use vsftpd, I read in the man pages about changing some things around to allow anonymous logons without passwords.  And you can set quite a bit of other security level stuff in it as well.  Hence the name Very Secure FTP Daemon 

 

One more vote for vsftpd

Tó

----------

## cpdsaorg

just curious, when you install sshd does the sftp and ssh functionality keep seperate access control lists? I thought ssh had an allow or deny list? or am i mixing that up with ftp?

----------

