Void's Forums

[Master of Reality]

I want to setup one user account for FTP access (which i have done) but i want the stuff uploaded to be on the internet.

I was wondering what i have to change in apache to make the homedir/www accessable from the internet?
(im using ProFTPd and whatever the newest apache 1.3.* is)

[Void Main]

By "to be on the internet" I assume you mean you want it accessible through the web server (http). You have a couple of options. You can create a subdirectory under the DocumentRoot (usually something like /var/www/html) and set permissions such that the FTP user has rwx permissions to it. You can then symlink that directory to show up as a subdirectory of your FTP user's home dir so anything they put in that subdirectory will show up in your Apache subdirectory. You could also just symlink the FTP user's home dir to show up as a subdirectory under Apache's DocumentRoot (make sure you have the FollowSymlinks option turned on in the httpd.conf).

Alternately you could use an "Alias" in your httpd.conf. Make sure the Apache user has permission to see what is in the FTP user's directory where the files are, along with any directory above it.

[Master of Reality]

alright i have that setup and i now realize that i can use sftp for my purposes. Its not so much that i need the high security for anything important but i would like to do it because im paranoid and want experience setting up things as securely as possible.

Im a little hazy on the subject of sftp though. Is sftp an actual FTP server or do i need to do something to ProFTPd which will allow it to utilize sftp?
I recall reading about setting up proftpd to use sftp (i remember that heading) while searching for info on proftpd but i can not seem to find it again.

[Void Main]

No, sftp works with the ssh server (sshd). Make sure the sftp portion is turned on in your /etc/ssh/sshd_config file. I much prefer to use "scp" over sftp though.

[Master of Reality]

well im making a blog with blogger.com so its actually blogger.com that is automatically publishing stuff for me, and i noticed that they support sftp as well as ftp.

Does sftp use the /etc/ftpusers file?

[Master of Reality]

http://mor.servebeer.com:8000/blog/

[Void Main]

Does sftp use the /etc/ftpusers file?

No, sftp is nothing more than an ssh client, only difference is it looks like an ftp client. You can use your key based authentication and much other functionality of ssh. The only use I can think of for it is if you know how to use an ftp client but not how to use scp. Of course it's better than a normal ftp client because it's encrypted so if security is important sftp would certainly be better than ftp. Now if you need an "anonymous" type of FTP setup then I don't believe you can do it with normal sshd/sftp but I've never tried, nor can I think of a reason to try. :)

[Master of Reality]

can people detect whether sftp is running or not from the internet? (consider ssh as running on the internet side)... such as by it running on a different port than normal sshd

[Void Main]

can people detect whether sftp is running or not from the internet? (consider ssh as running on the internet side)... such as by it running on a different port than normal sshd

sftp is the ssh client. sshd is the server and listens on port 22 as it would any other time. The only thing different that happens on the server side when you connect to sshd with sftp is it spawns the sftp-server program instead of a login shell. The sftp-server program exits when you end your sftp session just like your shell exits when you end your interactive ssh session. Everything is done using the SSH protocol (and ports). So the only way a remote person can tell if you have sftp-server enabled in your sshd_config is by trying to connect to it with the sftp client. If you don't have it enabled they'll get a message something like:

Code: Select all

[voidmain@voidhost voidmain]$ sftp voidlinux
Connecting to voidlinux...
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer


whereas if you do have it enabled they'll get either a login prompt or be logged in automatically if you are using key based, host based, or any other type of ssh authentication:

Code: Select all

[voidmain@voidhost voidmain]$ sftp voidlinux
Connecting to voidlinux...
sftp> ?
Available commands:
cd path                       Change remote directory to 'path'
lcd path                      Change local directory to 'path'
chgrp grp path                Change group of file 'path' to 'grp'
chmod mode path               Change permissions of file 'path' to 'mode'
chown own path                Change owner of file 'path' to 'own'
help                          Display this help text
get remote-path [local-path]  Download file
lls [ls-options [path]]       Display local directory listing
ln oldpath newpath            Symlink remote file
lmkdir path                   Create local directory
lpwd                          Print local working directory
ls [path]                     Display remote directory listing
lumask umask                  Set local umask to 'umask'
mkdir path                    Create remote directory
progress                      Toggle display of progress meter
put local-path [remote-path]  Upload file
pwd                           Display remote working directory
exit                          Quit sftp
quit                          Quit sftp
rename oldpath newpath        Rename remote file
rmdir path                    Remove remote directory
rm path                       Delete remote file
symlink oldpath newpath       Symlink remote file
version                       Show SFTP version
!command                      Execute 'command' in local shell
!                             Escape to local shell
?                             Synonym for help
sftp>


Really, it's as simple as it gets. Edit your /etc/ssh/sshd_config file and make sure this line is uncommented at the end of the config file:

Code: Select all

Subsystem       sftp    /usr/libexec/openssh/sftp-server


Restart sshd and then you can ssh, scp, *and* sftp to your server.

NOTE: The path to sftp-server might be different on your system. The above path is accurate for a Red Hat or Fedora system.

[Master of Reality]

excellent