i think, FTP is to insecure to use. so i want that every of my customer can use SFTP instead. SFTP means "tunneling SSH" (i know, this is not 100% real, but near enough to say what i mean). this means, i need to allow every of my customer SSH. this is NOT what i want. so i need something like chrooted SSH with NO critical commands to execute. (ls or dir or something like this is ok, but not kill, ps, top, cronjobs or something "criminal" the user can do with the server.). i found in the configuration of ISPConfig something to activate chrooted SSH but what to do to activate? can anybody help?
First, you will have to recompile your SSH Daemon to support chrooting, this is described here for example: http://www.howtoforge.com/chrooted_ssh_howto_debian Then enable chrooting in the file /home/admispconfig/ispconfig/lib/config.inc.php. Every user that is newly created or updated in ISPConfig will be chrooted. Another method to secure your FTP connections without ebaling SSH is to use FTP with TLS (SSL) encryption. http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
SFTP not working Hmm! there must be something which i don't know. i followed the chrooted howto and the chrooted ssh works fine. i can start my putty and login to my server via SSH as user web14_ov. This works fine and the user is definitely chrooted! this works. Then i tried to connect via SFTP and this will not work. (the client can connect with SFTP to other servers, so the client is ok). can anybody tell me, what is the problem (what is what i have overseen or don't know). Is there any log-file i can look into?
Depends a bit if you have not changed syslogd, but the default logfile would be /var/log/auth.log. You will find a line like Code: sshd[1857]: subsystem request for sftp
I guess that there is a program missing for sftp in the chroot jail. If I remember correctly, there was a thread about the same problem in the forum some time ago, but I currently cant find it - update - I googled a bit. I guess you will have to add the sftp-server binary (with full path) to the list of chrooted applications in the file /root/ispconfig/scripts/shell/create_chroot_env.sh
security issue (i guess) yes! that's right! and now it works! *** EDIT*** BUT now i have the problem, that the chroot-path is INSIDE the sftp-root and so if the user connects to the server with sftp he can upload binaries to it's /bin folder and so expand the commands he has! that's not what i want. ---- the text above is WRONG! the files and the dir is only writeable by root and by nobody else. Means the "normal" user can see the files and the dir but not change anything! Means everything works fine now!! *** END EDIT ***
And what about using FTP with TLS as I described above? It is also very secure but you dont have to give the user shell access.
Maybe i am wrong, so please correct me, if 1) if i use one SSL certificate for ALL of the "vhosts" the certificate is wrong for all domains and the user gets confusing messages and dialogs 2) if i use one SSl certificate for ONE "vhost" then i have to have a certificate for all customers (and this is not the case)
Why dont you make a domain e.g. ftp1.hostingprovider.com and point it to this server. All users are able to login over this domain with one SSL certificate. Many providers use subdomains of their own domain for their FTP and mail servers for exact this reason. The mail users are authenticated by their username and not by their domain, so there are no vhosts like in apache.
i don't like to think about at what of my server the customer is. i don't want to say to customer1 "use ftp1.xxx" and customer2 "use ftp2.xxx". But this is my personal oppinion i know (this is why i wrote "vhosts" in paraphrases - just to say "several users which their own ftp-root)
Everything Works Fine Now ok! i have to correct (edit) my last posting. now everyting works fine thanks to all who helped me!
