|
Home > Archive > Unix administration > October 2006 > sftp setup guide wanted !!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
sftp setup guide wanted !!
|
|
| tofran@gmail.com 2006-10-04, 7:35 am |
| Hi guys out there,
I have been told to convert our ftp-service on HPUX and RedHat
installation to sftp instead because of the password exposed problem on
ftp. I have looked around for some time for a guide to help me doing
this, without success.
I have some issues that have to be cleared out before doing the
conversion. The primary issues are to get the same features as from ftp
eg.
1. Can I create a ftp-user only having read-only (download) access to
the whole Unix-system ??
2. Can I create a ftp-user to access only a specified part of a
disk/directory (eg. a down-/upload-section), so it cannot harm any
other part of the Unix-system. The section should be open for all
defined ftp-users.
3. I have read the anonymous user cannot be create in sftp. How can
this be done.
Can all the above mentioned be handle on the same Unix-server.
I have the impression that it is possible to setup a lot of things in
FTP about access control, but it is not the case for SFTP is that right
??
All material to enlighten me will be appreciated.
Any hints are welcome and thanks in advance.
Best regards
Tom Frank
| |
| Michael Heiming 2006-10-05, 7:29 am |
| In comp.unix.admin tofran@gmail.com:
> Hi guys out there,
> I have been told to convert our ftp-service on HPUX and RedHat
> installation to sftp instead because of the password exposed problem on
> ftp. I have looked around for some time for a guide to help me doing
> this, without success.
> I have some issues that have to be cleared out before doing the
> conversion. The primary issues are to get the same features as from ftp
> eg.
> 1. Can I create a ftp-user only having read-only (download) access to
> the whole Unix-system ??
> 2. Can I create a ftp-user to access only a specified part of a
> disk/directory (eg. a down-/upload-section), so it cannot harm any
> other part of the Unix-system. The section should be open for all
> defined ftp-users.
> 3. I have read the anonymous user cannot be create in sftp. How can
> this be done.
> Can all the above mentioned be handle on the same Unix-server.
> I have the impression that it is possible to setup a lot of things in
> FTP about access control, but it is not the case for SFTP is that right
> ??
If password security is what you care about, I'd suggest using
vsftpd and enable ssl/tls*. I comes with RHEL and should work on
HP-UX as well, though you might need some additional things
(openssl/etc) if you don't have them installed.
AFAIK some features you want aren't available with sftp, since it
is just a sub-system of openssh, but should work just fine with
vsftpd and ssl/tls enabled.
Check the docs coming with your RHEL system and:
http://vsftpd.beasts.org/
*Ftp client needs to support ssl although of course!
Good luck
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | PERL -pe 'y/a-z/n-za-m/'
#bofh excuse 293: You must've hit the wrong any key.
| |
| Michael Paoli 2006-10-07, 7:42 pm |
| Michael Heiming wrote:
> In comp.unix.admin tofran@gmail.com:
>
>
You probably shouldn't give read access to the whole system for any
user. E.g. private keys, /etc/shadow, etc., shouldn't be readable by
any regular users of the system.
[vbcol=seagreen]
>
>
>
> If password security is what you care about, I'd suggest using
> vsftpd and enable ssl/tls*. I comes with RHEL and should work on
> HP-UX as well, though you might need some additional things
> (openssl/etc) if you don't have them installed.
>
> AFAIK some features you want aren't available with sftp, since it
> is just a sub-system of openssh, but should work just fine with
> vsftpd and ssl/tls enabled.
>
> Check the docs coming with your RHEL system and:
>
> http://vsftpd.beasts.org/
>
> *Ftp client needs to support ssl although of course!
Another possibility you may want to consider - kerberos. It is
possible to set up FTP servers that work with and use kerberos, and
they can either support kerberos encrypted FTP sessions as being
optional, or they can be configured to reject any non-encrypted FTP
sessions.
Such an approach (and configured with mandated encryption) would
ensure that FTP passwords were not sent in the clear. It would also
have the advantage (as would sftp) that the data transfers would also
be encrypted. Unlike sftp, however, using FTP with kerberos would
give a much more highly similar interface and "user experience" to
that of FTP, whereas sftp, while being rather to quite similar,
doesn't support precisely the same sets of commands that FTP does, so
that might potentially be an issue for you.
| |
|
| Michael,
Is their a guide for Solaris?
DBA wrote Java script to pull "stuff" by ftp - I need it to do sftp
full
I googled and found jAsftp but ofcourse it is pay.
Any ideas?
Joe
|
|
|
|
|