Muchisimas gracias a todos por vuestros comentarios. Después de escucharos a todos creo que optare por pure-ftp, una politica de permisos bastante restrictiva y una recomendación encarecida a los usuarios de que usen ssh en vez de ftp siempre que les sea posible.
Hola José; e dejo aquí unos apuntos muy interesantes extraídos directamente de las FAQs de Pure-FTPd * FTP over SSH. -> How to run Pure-FTPd over SSH? I want to encrypt all connection data (including passwords) . FTP-over-SSH is a nice alternative over FTP-over-SSL (impossible to securely firewall) and SFTP (which is slower, but only uses one port) . Customers using Windows can use FTP-over-SSH with the excellent Van Dyke's SecureFX client (http://www.vandyke.com) . It doesn't require any special knowledge: just tell your customer to check "FTP-over-SSH2" in the "Protocol" listbox when creating an account for your FTP server. On the server side, here's how to manage FTP-over-SSH accounts: 1) Add /usr/bin/false to your /etc/shells file (on some systems, it's /bin/false) . 2) To create a FTP-over-SSH account, create a system account with /dev/null as a home directory and /usr/bin/false as a shell. You don't need a dedicated uid: the same uid can be reused for every FTP-over-SSH account. 3) Create a virtual user account for that user (either with PureDB, SQL or LDAP) . Give that virtual user a real home directory and only allow connections coming from 127.0.0.1 (all FTP-over-SSH sessions will come from localhost, due to SSH tunneling) . People with no home directory (/dev/null) and no valid shell (/usr/bin/false) won't be able to get a shell nor to run any command on your server. But they will be granted FTP-over-SSH sessions. Here are examples (Linux/OpenBSD/ISOS/EkkoBSD commands, translate them if necessary) . 1) Creating a regular FTP account: pure-pw useradd customer1 -m -d /home/customer1 -u ftpuser 2) Creating a FTP-over-SSH account (non-encrypted sessions are denied): useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer2 pure-pw useradd customer2 -m -d /home/customer2 -u ftpuser -r 127.0.0.1/32 3) Creating an account who can use regular (unencrypted) FTP from the internal network (192.168.1.x), but who must use FTP-over-SSH when coming from an external network (internet): useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer3 pure-pw useradd customer3 -m -d /home/customer3 -u ftpuser \ -r 127.0.0.1/32,192.168.1.0/24 -- Salut, Jordi Espasa