Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- SFTP questions
September 17, 2009, 11:21 pm
rate this thread
First issue: when I use the "ChrootDirectory" and "internal-sftp"
capability of OpenSSH, I don't have the ability to set the default
umask. I need it so my administrators can log in as themselves and
drop files into our external users' directories for pick-up. Do I need
to use the full (manual) chroot setup, with a restricted shell, to
solve this problem, or is there an easier way?
Second issue: we need our secure FTP server to be able to use a
certificate, signed by a CA (like Verisign), so our external users can
verify the server they're connecting to is actually our server.
Looking in the OpenSSH documentation, I don't see any way to do that,
out of the box. I looked at the x.509 patch from Roumen Petrov, but
the documentation is sparse, and I can't tell if it's what I need. I
also don't trust patches from "any old web site", unless someone
vouches for them, either. I'd prefer not to use a custom custom copy
of OpenSSH (since updates become more difficult), but if you guys tell
me it's the way to go, I'll do it.
- Nico Kadel-Garcia
September 18, 2009, 11:38 am
Re: SFTP questions
Hmm. Would a 'pull' model, with the clients pulling from an HTTPS
based source control system like Subversion or git work better? That
keeps the umask part of the client's setup in the client's
configuration. Your concerns about signatures are understandable, but
somewhat misplaced. Externally signed keys and signature authorities
are far, far too easy to buy or steal, and historically rather
difficult to revoke.
Re: SFTP questions
I'm not sure. I'd have to check with my clients. It would, at the very
least, require a significant change in the way they do things, which
I'd obviously like to avoid. If I can get them to sign off on it,
though, it might be worth a try.
That's interesting. I wasn't aware of that. That will involve more
change, but since it will only be having a client log in manually once
(to accept the key), that might be doable.
Thanks for your help.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum