hi list yesterday I set up a vsftpd server - sucessfully ;-) all common connections (from the beloved redmond tools) make no problems. curiously the lukeftp command line tool has problems connecting the server. in standard mode all command which active the passive mode fails: 229 Entering Extended Passive Mode (|||46597|) ...here is dead end. after googeling I discover the epsv4 toggle mode. after disabling the extended passive commands, following server message appear: 227 Entering Passive Mode (XXX,XXX,XX,XX,23,72) that works quite good. curiously I can establish a connection to this ftp-server via VPN (and the private IP-Number). within my enterprise network the 229 - Extended Passive Mode works! therefore it is definitely not the fault of vsftpd. here comes my questions. 1) I assume the number "46579" is the port number given from the FTP server in the case of epsv. the ",23-72" is the range of data port given by FTP in case of pasv mode. is that correct? therefore one firewall seems blocking the high-port 46579 in the case of internet-connection (at VPN connection all traffice goes through..)?? 2) if I establish with lukeftp a connection to "ftp.suse.com" I am immediately in the pasv mode (instead epsv). I assume SuSE also running vsftpd - therefore a setting must exist which forces ftp-clients to use classical pasv mode. unfortunately I could not find this option. regards harald -- Mit freundlichen Grüßen / With kind regards Dipl.-Ing. Harald Nikolisin SOFiSTiK AG (Entwicklung)
Hi to all!
How can I allow users to log in using a sftp connection, but NOT allowing
them to open a shell using ssh?
(If I change a shell to /bin/false, that user cannot log in through sftp)
I have a i386 arch. , SuSE 7.1, and all patches applied.
Thanks in advance.
----- Original Message -----
From: "Nikolisin, Harald"
> How can I allow users to log in using a sftp connection, but NOT allowing > them to open a shell using ssh? Look for scponly or rssh at freshmeat.net > I have a i386 arch. , SuSE 7.1, and all patches applied. There are no patches for 7.1 anymore. I hope that you are really using the latest versions of all networked software now! You should better update your machine to 9.0 and have automated updates for the next 2 years (ok, minus 4 months because it is out since oct. 2003) Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
-----Original Message----- From: Markus Gaugusch [mailto:markus@gaugusch.at] Sent: Wednesday, January 28, 2004 5:30 AM To: Manuel Balderrabano Cc: suse-security@suse.com Subject: Re: [suse-security] sftp with no ssh login
How can I allow users to log in using a sftp connection, but NOT allowing them to open a shell using ssh? Look for scponly or rssh at freshmeat.net
Another thing to try is put "logout" at the beginning of ~/.bash_login. Upon ssh login it will run the .bash_login and log them out. On sftp, it won't run ~/.bash_login so they can still sftp Ben
Ben Yau wrote:
Another thing to try is put "logout" at the beginning of ~/.bash_login. Upon ssh login it will run the .bash_login and log them out. On sftp, it won't run ~/.bash_login so they can still sftp
ssh user@remote.sftp.server rm .bash_login ;)
-----Original Message----- From: Sven 'Darkman' Michels [mailto:sven@darkman.de] Sent: Wednesday, January 28, 2004 8:39 AM To: suse-security@suse.com Subject: Re: [suse-security] sftp with no ssh login
Ben Yau wrote:
Another thing to try is put "logout" at the beginning of ~/.bash_login. Upon ssh login it will run the .bash_login and log them out.
On sftp, it
won't run ~/.bash_login so they can still sftp
ssh user@remote.sftp.server rm .bash_login
;)
Ruin my day .. go ahead :) I started thinking of another solution (along the lines of alias rm='logout') when I realized that a smart user could just sftp and put in a new ~/.bash_profile. Provided they were clever enough to figure out how you auto logged them out. What you could do is in /etc/profile have it read a list of valid users/uid from a root writable/world-readable file. THen in /etc/profile throw in some logic that if userid does not match the one reading the file then log them out. Then put users who you want to be able to ssh into the root owned file. Another idea to test out and more secure. GOod thinking Sven :) Off the subject here, but this reminds me of a time when this "big shot" consultant guy came in to consult with our team at my first job (I was a greenie sysadmin) and was showing me how to use sudo and made a list of denied commands. And i told him "isn't that a security hole?" and he said "how?". He had put all the shells in the denied comman so I copied /bin/bash to ~/mybash and then ran it under sudo. His jaw dropping was one of the funniest things I'd ever seen. (Don't want to be too hard on him though, he actually was a really GREAT guy and very fun to work with). So that's why you got to be really careful with your sudo configs :D and in this case the way you attempt to deny ssh and still allow sftp. Ben Yau
Ben Yau wrote:
-----Original Message----- From: Sven 'Darkman' Michels [mailto:sven@darkman.de]
Ben Yau wrote:
Another thing to try is put "logout" at the beginning of ~/.bash_login. Upon ssh login it will run the .bash_login and log them out.
On sftp, it
won't run ~/.bash_login so they can still sftp
ssh user@remote.sftp.server rm .bash_login
;)
Ruin my day .. go ahead :)
I started thinking of another solution (along the lines of alias rm='logout') when I realized that a smart user could just sftp and put in a new ~/.bash_profile.
Provided they were clever enough to figure out how you auto logged them out. ...
Depends on what's acceptable at your place. You could give the person (people) a home dir that is owned by root, and all files in the home dir owned by root, with perms of 555 (basically a shell home, just enough to make whatever you need work); then you could set things up that way. It seems to me there should be a more elegant way, but my point is you should be able to make the above work. That is assuming you're allowed to lock it down that tight (by management). HTH, Kevin
227 Entering Passive Mode (XXX,XXX,XX,XX,23,72)
that works quite good. curiously I can establish a connection to this ftp-server via VPN (and the private IP-Number). within my enterprise network the 229 - Extended Passive Mode works! therefore it is definitely not the fault of vsftpd. here comes my questions.
1) I assume the number "46579" is the port number given from the FTP server in the case of epsv. the ",23-72" is the range of data port given by FTP in case of pasv mode. is that correct? therefore one firewall seems blocking the high-port 46579 in the case of internet-connection (at VPN connection all traffice goes through..)??
the final two numbers are an (obscure) definition of the port number: (23*256)+72 = 5960 So the passive connection is trying to connect to Port 5960. Ta, Andy
... therefore a setting must exist which forces ftp-clients to use classical pasv mode. unfortunately I could not find this option.
As with most packages the manpages help here, or you use this software for a while (like me). pasv_enable=YES # enables pasv mode Here a list of all known options: http://www.die.net/doc/linux/man/man5/vsftpd.conf.5.html Or type in console "man vsftpd.conf". Under Examples you finde essential help with basic setups for vsftpd. Here you find actual sources: http://vsftpd.beasts.org/ Philippe
hi philippe
pasv_enable=YES # enables pasv mode
well, this does not force to classical PASV mode, if the user comes with EPSV. harald
Here a list of all known options:
http://www.die.net/doc/linux/man/man5/vsftpd.conf.5.html
Or type in console "man vsftpd.conf".
Under Examples you finde essential help with basic setups for vsftpd.
Here you find actual sources:
Philippe
-- Mit freundlichen Grüßen / With kind regards Dipl.-Ing. Harald Nikolisin SOFiSTiK AG (Entwicklung)
participants (8)
-
Andy Doran - Job Management Systems Ltd.
-
Ben Yau
-
Kevin Brannen
-
Manuel Balderrábano
-
Markus Gaugusch
-
Nikolisin, Harald
-
Philippe Vogel
-
Sven 'Darkman' Michels