sftp和其他secure FTP服务

anfield

在Linux上设置一个用户，用于FTP上传文件。
现在系统中运行的是Openssh，所以可以用已有的sftp-server，但是问题在于要求将用户限制在自己的主目录下，记得以前做过关于chroot和secure shell的设置，于是google了一下，对于Openssh，有一个专门为chroot的补丁。

http://chrootssh.sourceforge.net/index.php?node=news

另外如果是商用的ssh包的话，里面带了一个ssh-dummy-shell，就更方便了，可惜OpenSSH并没有相应的应用。

我的问题是对于在Linux下的安全FTP服务器，都有哪些选择？

对于限制用户活动范围的设置，有什么较好的解决方法？

希望大家讨论讨论。

wolfg

常见的ftp服务器都可以与ssl配合

zhangr

楼主说的很对，当前的状况就是这样。
由ssh封装的是sftp （应用层的加密）
用ssl的是ftps.（传输层的加密）
linux下的ftpd大多是支持ftps的，这样ftp的功能性较强（提供各种限制），但不能作为sftp.
openssh的sftp-server 是sftp但正如楼主所说。不能限制登陆，而且作为ftpd功能比较少。（只提供ftp的基本功能）
商用的ssh提供的SFTP功能性也不是很好（不能限制速度等）

所以还是看楼主的需求，选择sftp or ftps.

anfield

谢谢两位大哥的回答，又给我查资料提供了一点方向，：）

昨天后来看了一下vsftpd的功能，的确很吸引，对于我需要的chroot的功能直接就支持了，具体的还要试验一下才知道，不过有一点还没有明白，就是对于FTP传统的“弱点”，明码传输用户名和密码，vsftpd是怎么解决的？还是说它凭借较好的用户认证授权机制，以及Chroot的应用，来消除明码传输验证信息带来的威胁?

因为还没有机器可以用来测试，所以还没有太好的认识，可能还有错误，偷个懒，先上来问问，找点方向：）

anfield

SFTP和FTPS的区别

http://www.enterprisedt.com/products/edtftpjssl/faq-answers.html

“
1. What type of secure FTP does edtFTPj/PRO support?

There is considerable confusion when using the term "secure FTP". There are two different types of secure file transfer protocols available, SFTP and FTPS. They are both supported by edtFTPj/PRO.

Firstly, there is an enhancement to standard FTP (as defined in RFC 959), which uses the same FTP commands (and protocol) over secure sockets, i.e. over SSL/TLS. This is implemented by edtFTPj/PRO. This is variously known as FTPS, FTP-SSL, and FTP-over-SSL. There are many FTP servers that support FTPS.

There is also another protocol, unfortunately known as SFTP, which also provides secure file access, but which is not related to the standard FTP protocol. This is implemented using SSH (Secure SHell), a suite of secure network connectivity tools (when used with SSH2 this is known as SFTP). The primary purpose of SSH is to enable users to remotely log into a machine over a secure connection. The two protocols are completely different and not related. For a comparison see the FTPS vs SFTP FAQ below. Support for this protocol is also in edtFTPj/PRO.

2. SFTP vs FTPS - which is better?

As already noted, SFTP is built on SSH2, while FTPS is standard FTP over an SSL connection. FTPS has a number of advantages over SFTP.

Security. Standard SSH provides a secure remote shell for the user, and includes a command called SCP (secure copy) which is used to implement FTP-like features in SFTP. The problem arises when you want to allow client SFTP access on a server but not SSH access. This is possible but very tricky (see SSH: The Definitive Guide). So if you are not very careful when you set up your servers, users on machines with the SFTP client installed will be able to use an SSH client to log into the server and execute commands. This is not a problem with FTPS.

Flexibility. FTPS is a straight-forward extension to an existing FTP infrastructure. It is supported by most commercial servers and many open source servers (e.g. wu-ftpd and proftpd), so enabling FTPS on a server is usually just a matter of adding a few configuration options. There is no need to run additional servers since FTPS servers invariably also support FTP. There is also no need to open additional ports in firewalls since FTPS uses the same ports as FTP.

Certificates. SFTP uses keys rather than certificates. This means that it can't take advantage of the "chains of trust" paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications. FTPS uses certificates and therefore can take advantage of this paradigm. SFTP clients must install keys on the server.

”

anfield

找Vsftpd和SSL实现的时候，看到一个页面，里面描述的比较详细了。我自己还没有试验，有兴趣的朋友可以看看。

“Can't get vsftp work with SSL? Help!”
http://www.webmasterworld.com/forum40/1212.htm

还是上面的一个问题，如果没有在编译的时候define VSF_BUILD_SSL，或者后面的设置里ssl_enable是NO的话，密码是怎么处理的？（可能不是关键，只是有点好奇，：） ）

ftp://vsftpd.beasts.org/users/ce ... pd-2.0.1/README.ssl

As of vsftpd version 2.0.0, SSL / TLS support is provided.

The SSL / TLS support provides the ability to encrypt FTP logins and subsequent
commands, as well as the data transfers themselves. The encyption will, for
example, stop the stealing of sensitive passwords via network snooping.

By default, SSL support is disabled both at compile time and at runtime.
Before considering enabling / using SSL support, there are some security
considerations:

- Only enable SSL if absolutely necessary. Enabling SSL will allow attackers
to make use of any security problems in the OpenSSL libraries. Note that
the OpenSSL libraries are a large quantity of code and have had the occasional
security problem in the past.
For example, your server might use virtual users to control access to
non-sensitive download content. In this case, the passwords might not be
worth securing with SSL.
- After enabling SSL, consider restricting access to an SSL enabled server
where feasible. For example, only the internal network might need access.


In order to enable and use SSL support, you need the following:

- vsftpd built with OpenSSL support. This is a decision your vsftpd packager
made, or if you are building vsftpd yourself, edit "builddefs.h" and change the
"#undef VSF_BUILD_SSL" to "#define VSF_BUILD_SSL".
- "ssl_enable=YES" in your vsftpd.conf.
- A SSL certificate. By default, an RSA certificate is looked for at the
location /usr/share/ssl/certs/vsftpd.pem. To get an RSA certificate, either
buy one from a certificate authority, or you can create your own self-signed
certificate. If you have OpenSSL installed, you may find a "Makefile" in
your shared certificates directory, e.g. /usr/share/ssl/certs. In that case,
go to that directory and type e.g. "make vsftpd.pem". Then answer the
questions you are asked. Alternatively, read the man page for "openssl".
- Also be aware of the following SSL related parameters. Read the vsftpd.conf.5
manual page to learn about them: allow_anon_ssl, force_local_logins_ssl,
force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, rsa_cert_file,
dsa_cert_file, ssl_ciphers.

[ 本帖最后由 anfield 于 2006-2-18 01:23 编辑 ]

cxu123

用SSH的SCP不好，速度慢不说，每个用户还需要有UNIX的账户，特别不安全。只有公司内部用还行，不能在公共Internet上用。

还是SSL模式的FTP比较好，用虚拟用户，也不需要给每个用户UNIX的账户

anfield

赞成。