Comments on: Lock down SFTP without restricting SSH on Ubuntu 8.10 (Intrepid Ibex)

By: Corey

Corey — Thu, 02 Jul 2009 03:16:21 +0000

I’m thinking that once you have a chance to get it all together, we could package it as an OVF and submit it to VMware as a full featured drop in SFTP. Call it the “Unadopted Secure FTP server”…..

I can tell you honestly… I was sure looking for a quick and easy solution a couple of months ago when I started investigating secure file transfer solutions. A readily available prepackaged virtual machine would have solved all my problems.

You could be a hero to some Geek out there… :)

By: Aaron B. Russell

Aaron B. Russell — Wed, 24 Jun 2009 20:32:27 +0000

Intriguing. In that case, yeah I’ll probably get that added in. I’ve gotten swamped with another project in the short term, but keep reminding me, and I’ll get it done.

By: Corey

Corey — Wed, 24 Jun 2009 18:32:24 +0000

Sure, there is some logging, but it is mainly access logs. There is a patch available that allows fine grained logging of actual file transfers. The patch can be found at: http://sftpfilecontrol.sourceforge.net/

It was just an idea. Your packages allow sftp to become almost as user friendly as proftpd… Now if you can add the logging patch from that site, sftp would be completely full featured. In my opinion, this is how it should have been coded from the start. As a secure replacement for http://ftp….

By: Aaron B. Russell

Aaron B. Russell — Thu, 18 Jun 2009 16:04:30 +0000

According to that site, it’s built into the current openssh. I know that logwatch emails me a report of all sftp logins nightly (though I don’t think it’s quite like the logging you’d get with, say, proftpd — it’s just syslog events I think).

If there’s already a patch written and tested with the current OpenSSH release I’d be happy to review the code and add it, though I can’t commit to coding/testing it myself at the moment. :(

By: Corey

Corey — Tue, 16 Jun 2009 00:09:49 +0000

I’m trying to figure out a way to get the Sftp to log activity (uploads and downloads)… Have you ever come across a good method?

I stumbled onto this website: http://sftplogging.sourceforge.net/

It’s been updated to a newer version, but from this site you will get the idea. It seems there is a patch that must be installed prior to compiling the source.

What are your thoughts of compiling the logging patch within your patched openssh binary?

Corey

By: Corey

Corey — Mon, 15 Jun 2009 23:12:41 +0000

Very nice… do you ever check your gmail acct?

By: Aaron B. Russell

Aaron B. Russell — Tue, 09 Jun 2009 12:51:19 +0000

Corey: I’ve not written up any documentation yet, but there are now Intrepid and Jaunty builds of this at https://launchpad.net/~aaronr/+archive/ppa — you’ll still need to install sftpsh seperately as described above, and chmod +s /usr/lib/openssh/sftp-server but it’s definitely a bit more Ubuntu this way… :)

I’ll try and get a post with some proper documentation done soon.

By: Corey

Corey — Wed, 27 May 2009 22:35:52 +0000

Ok… I just realized that you told me to do that command in the post above…. Damn I’m slow! I didn’t refresh before writing the comment….

ps… I wish i could edit my posts…. I wouldn’t feel as stupid….

By: Corey

Corey — Wed, 27 May 2009 18:29:40 +0000

Dude… I figured it out! You didn’t set the suid for sftp-server…. Since the patch uses suid to chroot the users, you have to run the following command:

chmod +s /usr/lib/openssh/sftp-server

once you run that command, you can create the root directory for the ftp user with ./ and they will be chrooted correctly!

This should be placed after the line:

sudo echo “/bin/sftpsh” >> /etc/shells

This is awesome, i appreciate your help!!!

By: Corey

Corey — Wed, 27 May 2009 17:42:58 +0000

I’ll be here. I would like to see this project through. Maybe after you figure it all out, you can build a pretty front end to it….

There’s alot of potential there…