[nycbug-talk] virtual users and ftp/scp/rsync-ssh (was: ftp client....)

Bob Ippolito bob
Wed Jun 2 10:47:53 EDT 2004


On Jun 2, 2004, at 9:37 AM, George Georgalis wrote:

> On Tue, Jun 01, 2004 at 09:54:19PM -0400, Bob Ippolito wrote:
>> On Jun 1, 2004, at 8:21 PM, George Georgalis wrote:
>>
>>> I'm thinking djb's checkpassword to chroot to the users's dir for a
>>> ftp/scp/rsync-ssh restricted shell (yes I need to enable ftp auth,
>>> securely) could do it, with everything in a cdb. But I'd like to get
>>> something acceptable (ftp) in place soon. :-} Any ideas?
>>
>> The solution I would use is to use servers designed to handle the
>> virtual user scenario.  I remember ProFTPd (?) being capable of doing
>> this quite a few years ago.
>
> I never noticed virtual users as a ProFTPd feature. It looks perfect,
> will have to give it a shot and worry about the other protocols later.

I also remember it having some exploits a few years ago.. but I'm sure 
that's probably settled down :)  I don't think I've ran ProFTPd since 
1999 or so..

>>  As for scp and rsync-ssh I don't know of
>> any out of the box solutions, however if you're good with Python you
>> may want to take a look at conch (a component of Twisted,
>> http://twistedmatrix.com/), which is a Python implementation of the 
>> SSH
>> protocol.  I've personally seen it used to implement restricted 
>> virtual
>> scp, but I don't think any such package has been released.  Twisted
>> does of course also have a FTP component that can be used more or less
>> out of the box.  I'm not really very familiar with the implementation
>> of rsync, but I can't imagine it would be too hard to implement 
>> either.
>
> I think Twisted, http://twistedmatrix.com/ is a bit of a stretch. :)
> Thanks for the link anyhow.

Why do you say it's a stretch?  It's probably the only thing out there 
that's designed to facilitate the sort of configuration you want.

>> On the other hand, I've personally standardized on WebDAV with 
>> Apache2:
>> - You probably already know how to configure it
>> - You can authenticate and authorize however the hell you want
>> - Encryption is easy, just use SSL
>> - Anyone with a web browser can fetch files from it
>> - Anyone with a non-ancient operating system can mount it as a
>> filesystem without any additional software
>> - Anyone with an ancient operating system can still get software
>> that'll do it
>> - Many software products integrate with it specifically
>
> It never occurred to me that I might actually _want_ Apache2 features.
> This looks worth looking into. Thanks.

Apache 2 is definitely underrated.  If you have to run really tightly 
integrated modules or really squeeze performance out of a box, Apache 
1.3.x really isn't an option.  Extra functionality is just icing on the 
cake.

There is at least one WebDAV implementation for Apache 1.3.x, but it 
probably hasn't been updated much since the release of Apache 2.. so I 
would just bite the bullet and go with Apache 2.

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040602/7a1d4a35/attachment.bin 



More information about the talk mailing list