[nycbug-talk] virtual users and ftp/scp/rsync-ssh (was: ftp client....)

Bob Ippolito bob
Tue Jun 1 21:54:19 EDT 2004 

On Jun 1, 2004, at 8:21 PM, George Georgalis wrote:

> On the near horizon is another unrelated problem I need to work out,
> give _virtual_ users ftp/scp/rsync-ssh access to _their_ and only
> _their_ public html docs directories. I saved this shell from a while
> back:
>
> http://www.panix.com/~atlunde/software/restricted-shell/rsync- 
> restricted-shell
>
> I've not completely got my head around that one, it may do, but I would
> prefer not using system accounts, even if they are restricted, and I
> don't want one user to be able to cd to another's 'public' html, and
> read htaccess protected files for example.

That 'shell' requires system accounts, and it's not chrooted.  Seems  
like a pretty ghetto way to do it in any case...

> I'm thinking djb's checkpassword to chroot to the users's dir for a
> ftp/scp/rsync-ssh restricted shell (yes I need to enable ftp auth,
> securely) could do it, with everything in a cdb. But I'd like to get
> something acceptable (ftp) in place soon. :-} Any ideas?

The solution I would use is to use servers designed to handle the  
virtual user scenario.  I remember ProFTPd (?) being capable of doing  
this quite a few years ago.  As for scp and rsync-ssh I don't know of  
any out of the box solutions, however if you're good with Python you  
may want to take a look at conch (a component of Twisted,  
http://twistedmatrix.com/), which is a Python implementation of the SSH  
protocol.  I've personally seen it used to implement restricted virtual  
scp, but I don't think any such package has been released.  Twisted  
does of course also have a FTP component that can be used more or less  
out of the box.  I'm not really very familiar with the implementation  
of rsync, but I can't imagine it would be too hard to implement either.

If you have a budget to support this configuration, I can find you a  
developer that'll be able to whip this up rather quickly.

On the other hand, I've personally standardized on WebDAV with Apache2:
- You probably already know how to configure it
- You can authenticate and authorize however the hell you want
- Encryption is easy, just use SSL
- Anyone with a web browser can fetch files from it
- Anyone with a non-ancient operating system can mount it as a  
filesystem without any additional software
- Anyone with an ancient operating system can still get software  
that'll do it
- Many software products integrate with it specifically

Sure, it's not the most efficient transport, but it's (BY FAR) the most  
practical for my purposes.

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040601/a71928d6/attachment.bin

More information about the talk mailing list