ISPConfig and SFTP

Discussion in 'Installation/Configuration' started by vogelor, Jan 7, 2007.

  1. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    i think, FTP is to insecure to use. so i want that every of my customer can use SFTP instead. SFTP means "tunneling SSH" (i know, this is not 100% real, but near enough to say what i mean). this means, i need to allow every of my customer SSH. this is NOT what i want. so i need something like chrooted SSH with NO critical commands to execute. (ls or dir or something like this is ok, but not kill, ps, top, cronjobs or something "criminal" the user can do with the server.).

    i found in the configuration of ISPConfig something to activate chrooted SSH but what to do to activate?

    can anybody help?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    First, you will have to recompile your SSH Daemon to support chrooting, this is described here for example:

    http://www.howtoforge.com/chrooted_ssh_howto_debian

    Then enable chrooting in the file /home/admispconfig/ispconfig/lib/config.inc.php. Every user that is newly created or updated in ISPConfig will be chrooted.

    Another method to secure your FTP connections without ebaling SSH is to use FTP with TLS (SSL) encryption.

    http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
     
  3. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    SFTP not working

    Hmm!
    there must be something which i don't know.

    i followed the chrooted howto and the chrooted ssh works fine. i can start my putty and login to my server via SSH as user web14_ov. This works fine and the user is definitely chrooted!

    this works.

    Then i tried to connect via SFTP and this will not work. (the client can connect with SFTP to other servers, so the client is ok).

    can anybody tell me, what is the problem (what is what i have overseen or don't know).

    Is there any log-file i can look into?
     
  4. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    Depends a bit if you have not changed syslogd, but the default logfile would be /var/log/auth.log. You will find a line like
    Code:
    sshd[1857]: subsystem request for sftp
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that there is a program missing for sftp in the chroot jail. If I remember correctly, there was a thread about the same problem in the forum some time ago, but I currently cant find it :confused:

    - update -

    I googled a bit. I guess you will have to add the sftp-server binary (with full path) to the list of chrooted applications in the file /root/ispconfig/scripts/shell/create_chroot_env.sh
     
    Last edited: Jan 8, 2007
  6. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    security issue (i guess)

    yes! that's right! and now it works!

    *** EDIT***
    BUT now i have the problem, that the chroot-path is INSIDE the sftp-root and so if the user connects to the server with sftp he can upload binaries to it's /bin folder and so expand the commands he has! that's not what i want.
    ----
    the text above is WRONG! the files and the dir is only writeable by root and by nobody else. Means the "normal" user can see the files and the dir but not change anything!

    Means everything works fine now!!
    *** END EDIT ***
     
    Last edited: Jan 8, 2007
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    And what about using FTP with TLS as I described above? It is also very secure but you dont have to give the user shell access.
     
  8. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    :confused: Maybe i am wrong, so please correct me, if:confused:

    1) if i use one SSL certificate for ALL of the "vhosts" the certificate is wrong for all domains and the user gets confusing messages and dialogs

    2) if i use one SSl certificate for ONE "vhost" then i have to have a certificate for all customers (and this is not the case)
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Why dont you make a domain e.g. ftp1.hostingprovider.com and point it to this server. All users are able to login over this domain with one SSL certificate. Many providers use subdomains of their own domain for their FTP and mail servers for exact this reason.

    The mail users are authenticated by their username and not by their domain, so there are no vhosts like in apache.
     
  10. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    i don't like to think about at what of my server the customer is. i don't want to say to customer1 "use ftp1.xxx" and customer2 "use ftp2.xxx". But this is my personal oppinion

    i know (this is why i wrote "vhosts" in paraphrases - just to say "several users which their own ftp-root)
     
  11. vogelor

    vogelor ISPConfig Developer ISPConfig Developer

    Everything Works Fine Now

    ok!
    i have to correct (edit) my last posting.
    now everyting works fine

    thanks to all who helped me!
     

Share This Page