Chroot SSH
For the longest time I've had a problem with ftp. My problem is, specifically, that I dont like enabling ftp on any server for which I'm responsible. Like telnet, I feel it's fundamentally insecure. It's also an absolute pain in the arse trying to get ftp to play nicely with firewalls.
Obviously SSH is the way to go. I've use scp to copy my files around for years, more recently I discovered the joys of sftp when trying to get OpenSSH to talk to SSH2. The problem is, however, that SSH gives you a shell. So it's not a drop-in replacement for ftp. Furthermore, it's seemingly impossible to drop users into a chrooted environment.
For a while I looked at VShell from VanDyke Software. But as it's commercial it's a non-starter (I insist on open source). But a perusal through the ports when I found myself with an hour to kill and I discovered something which seeminigly met my requirements.
Installing scponly was simple enough:
cd /usr/ports/shells/scponly/ make -DWITH_SCPONLY_CHROOT -DWITH_SCPONLY_RSYNC install clean
Setting-up a chrooted user is also simple enough too:
cd /usr/local/share/examples/scponly/ ./setup_chroot.sh
Example output is below. Only one caveat: the script will barf with a rather unhelpful message if it can't find config.h in the same directory as the script is run from.
Next we need to set the home directory for this scponly user. please note that the user's home directory MUST NOT be writeable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, a writeable subdirectory will be created that the scponly user can write into. -en Username to install [scponly] -en home directory you wish to set for this user [/home/scponly] -en name of the writeable subdirectory [incoming] creating /home/scponly/incoming directory for uploading files Your platform (FreeBSD) does not have a platform specific setup script. This install script will attempt a best guess. If you perform customizations, please consider sending me your changes. Look to the templates in build_extras/arch. - joe at sublimation dot org please set the password for scponly: Changing local password for scponly. New password: Retype new password: passwd: updating the database... passwd: done if you experience a warning with winscp regarding groups, please install the provided hacked out fake groups program into your chroot, like so: cp groups /home/scponly/bin/groups
A quick test with scp and sftp, and finally I've acheived something that's been on my TO DO list for far too long. Not ideal, as I hate needing all the shrubbery. But it'll do.