Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th January 2007, 09:22
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Question ISPConfig and SFTP

i think, FTP is to insecure to use. so i want that every of my customer can use SFTP instead. SFTP means "tunneling SSH" (i know, this is not 100% real, but near enough to say what i mean). this means, i need to allow every of my customer SSH. this is NOT what i want. so i need something like chrooted SSH with NO critical commands to execute. (ls or dir or something like this is ok, but not kill, ps, top, cronjobs or something "criminal" the user can do with the server.).

i found in the configuration of ISPConfig something to activate chrooted SSH but what to do to activate?

can anybody help?
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
Sponsored Links
  #2  
Old 7th January 2007, 11:23
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,771
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

First, you will have to recompile your SSH Daemon to support chrooting, this is described here for example:

http://www.howtoforge.com/chrooted_ssh_howto_debian

Then enable chrooting in the file /home/admispconfig/ispconfig/lib/config.inc.php. Every user that is newly created or updated in ISPConfig will be chrooted.

Another method to secure your FTP connections without ebaling SSH is to use FTP with TLS (SSL) encryption.

http://www.castaglia.org/proftpd/doc...HOWTO-TLS.html
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 7th January 2007, 18:23
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Question SFTP not working

Hmm!
there must be something which i don't know.

i followed the chrooted howto and the chrooted ssh works fine. i can start my putty and login to my server via SSH as user web14_ov. This works fine and the user is definitely chrooted!

this works.

Then i tried to connect via SFTP and this will not work. (the client can connect with SFTP to other servers, so the client is ok).

can anybody tell me, what is the problem (what is what i have overseen or don't know).

Is there any log-file i can look into?
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #4  
Old 7th January 2007, 20:59
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Depends a bit if you have not changed syslogd, but the default logfile would be /var/log/auth.log. You will find a line like
Code:
sshd[1857]: subsystem request for sftp
Reply With Quote
  #5  
Old 8th January 2007, 01:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,771
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

I guess that there is a program missing for sftp in the chroot jail. If I remember correctly, there was a thread about the same problem in the forum some time ago, but I currently cant find it

- update -

I googled a bit. I guess you will have to add the sftp-server binary (with full path) to the list of chrooted applications in the file /root/ispconfig/scripts/shell/create_chroot_env.sh
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 8th January 2007 at 01:18.
Reply With Quote
  #6  
Old 8th January 2007, 11:43
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Exclamation security issue (i guess)

Quote:
Originally Posted by till
I googled a bit. I guess you will have to add the sftp-server binary (with full path) to the list of chrooted applications in the file /root/ispconfig/scripts/shell/create_chroot_env.sh
yes! that's right! and now it works!

*** EDIT***
BUT now i have the problem, that the chroot-path is INSIDE the sftp-root and so if the user connects to the server with sftp he can upload binaries to it's /bin folder and so expand the commands he has! that's not what i want.
----
the text above is WRONG! the files and the dir is only writeable by root and by nobody else. Means the "normal" user can see the files and the dir but not change anything!

Means everything works fine now!!
*** END EDIT ***
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de

Last edited by vogelor; 8th January 2007 at 14:13.
Reply With Quote
  #7  
Old 8th January 2007, 11:52
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,771
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

And what about using FTP with TLS as I described above? It is also very secure but you dont have to give the user shell access.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 8th January 2007, 13:07
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by till
And what about using FTP with TLS as I described above? It is also very secure but you dont have to give the user shell access.
Maybe i am wrong, so please correct me, if

1) if i use one SSL certificate for ALL of the "vhosts" the certificate is wrong for all domains and the user gets confusing messages and dialogs

2) if i use one SSl certificate for ONE "vhost" then i have to have a certificate for all customers (and this is not the case)
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #9  
Old 8th January 2007, 13:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,771
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

Why dont you make a domain e.g. ftp1.hostingprovider.com and point it to this server. All users are able to login over this domain with one SSL certificate. Many providers use subdomains of their own domain for their FTP and mail servers for exact this reason.

The mail users are authenticated by their username and not by their domain, so there are no vhosts like in apache.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 8th January 2007, 14:05
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
 
Default

Quote:
Originally Posted by till
Why dont you make a domain e.g. ftp1.hostingprovider.com and point it to this server. All users are able to login over this domain with one SSL certificate. Many providers use subdomains of their own domain for their FTP and mail servers for exact this reason.
i don't like to think about at what of my server the customer is. i don't want to say to customer1 "use ftp1.xxx" and customer2 "use ftp2.xxx". But this is my personal oppinion

Quote:
The mail users are authenticated by their username and not by their domain, so there are no vhosts like in apache.
i know (this is why i wrote "vhosts" in paraphrases - just to say "several users which their own ftp-root)
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTPS or SFTP in ispconfig blackflag Installation/Configuration 16 22nd May 2007 02:35
Unable to log into ISPConfig control panel bobplank Installation/Configuration 1 13th July 2006 14:17
sftp acess for Web users anuragj Installation/Configuration 2 6th February 2006 23:41


All times are GMT +2. The time now is 03:19.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.