Allowing remote access to specific directories

void.pointer · 2009-02-12 23:46:57

Hi,

I have been spending the past week or two investigating ways I can allow someone to utilize a portion of my server's hard drive space for their personal backup. My first thought was to look into SCP, since all they really want to do is schedule a remote copy in a script, and SCP is perfect for that. However, if they have access to SCP they have access to normal SSH and can view outside of their backup directory which I obviously do not want.

I then started looking into RSSH, ChrootDirectory in SSH, and other forms of "SSH Jails" but they all looked FAR too complex for my needs. I really just want something simple and intuitive. I don't want something too invasive/tedious.

I also looked into setting up an FTP server with SSL, such as proftpd or vsftpd, however these look like a pain to setup due to the fact that you have to do a lot of manual config editing and PAM setup.

It would be great to be able to use PACMAN to install a certain type of server that can be remotely configured using HTTP. I want to be able to setup virtual users (Not SSH users) and give them a list of directories they shall have access to and be able to specify the permissions of each directory they have. Why can't it be this simple? I've setup FTP servers on Windows before and it is VERY simple to do.

fukawi2 · 2009-02-13 01:32:42

Perhaps an rsync server?

Xyne · 2009-02-13 01:41:01

rsync crossed my mind too.

If that doesn't work though, suck it up and dive into vsftpd. It does exactly what you want and it isn't that difficult to configure... it just takes a little while to find the right documentation. If you get stuck, just post your questions here. I have my own set of notes for running vsftpd with xinetd using strong encryption and virtual users on a custom port, so hopefully I can help. If not, someone else will be able to.

*edit*
Here's a quick checklist:
vsftpd file in /etc/xinetd.d/
name the service "ftp" for standard ports
name the service "vsftpd" for custom ports (and set the port)
(if using a custom port, make sure that the name of the service from the previous step is included in /etc/services)
create your virtual users (vsftpd wiki page)
configure /etc/hosts.allow to let vsftpd through
open up ports in your local and router firewalls, if you have them
configure /etc/vsftpd.conf to use virtual users
create a (self-signed) certificate if you're using encryption
start xinetd

Last edited by Xyne (2009-02-13 01:49:35)

void.pointer · 2009-02-13 02:09:33

Thanks for being so helpful Xyne. I'm going to try to tackle vsftpd one more time with your help.

I'm reading the vsftpd wiki page on how to setup vsftpd, and I've gotten up to the "PAM with virtual users" section. This section seems to assume each user only cares about one directory. Below are my questions:

* How can I set this up so each user I create has multiple numbers of directories they may access?
* How can I setup SSL with vsftpd? The wiki article does not seem to address this.
* Is there an easy way to go back and add users later? It seems like I'll have to create some sort of script that I run after editing my txt file of users and passwords. I wish I could use mysql for this or something... it would be better.

::EDIT::
Looks like you *can* use mysql! Check this out. Now if only I could translate these instructions to Archlinux. There doesn't seem to be a pam-mysql package in AUR or official repositories

::EDIT2::
Here's another good article, but again not for Archlinux. Looks EXTREMELY tedious and complex
http://www.digitalnerds.net/featured/vs … l-backend/

Last edited by void.pointer (2009-02-13 02:21:15)

aglarond · 2009-02-13 02:59:53

You could try an sftp chroot. You mentioned they looked tedious, but it's not that hard to follow the method here.

http://wiki.archlinux.org/index.php/SFTP-chroot

Barring that, I agree the vsftp is probably your best bet.

-mS

void.pointer · 2009-02-19 06:02:08

@Xyne

Any advice on how to setup vsftpd to support multiple directories per user using PAM? Thanks.

Xyne · 2009-02-19 15:07:19

void.pointer wrote:

1) How can I set this up so each user I create has multiple numbers of directories they may access?
2) How can I setup SSL with vsftpd? The wiki article does not seem to address this.
3) Is there an easy way to go back and add users later? It seems like I'll have to create some sort of script that I run after editing my txt file of users and passwords. I wish I could use mysql for this or something... it would be better.

Sorry, I missed that post.

1) see below
2) I can't find any good tutorial right now but here's what I have in my vsftpd.conf to force encryption (the vsftpd.conf man page will give you an idea of what each line does):

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
chroot_list_enable=NO
guest_enable=YES
guest_username=ftp
user_sub_token=$USER
local_root=/home/ftp/virtual/$USER

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/server.pem

hide_ids=YES
pam_service_name=vsftpd

I think this is the line that I used to generate the certificate but I'm not sure now:

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt

Remember to use "FTP over explicit TSL/SSL" or your ftp client's equivalent when you try to connect because this setup will not accept unencrypted connections (change the "force_local_data_ssl" line if you still want to allow unencrypted connections... I think that's all you need to change at least). Also keep in mind that the default port will not be 21 and that it may be worth changing it to a custom port.

3) Seems you've found a mySQL solution.

void.pointer wrote:

@Xyne
Any advice on how to setup vsftpd to support multiple directories per user using PAM? Thanks.

I haven't done much with PAM other than the initial authentication of virtual users.
If you're trying to make multiple directories available to different virtual users, you should take a look at bindfs. By using the permissions option, you can mount any directory on your system within the virtual user's directory as read-only.

It's available in the AUR if you want to try it: http://aur.archlinux.org/packages.php?ID=22920

Arch Linux

#1 2009-02-12 23:46:57

Allowing remote access to specific directories

#2 2009-02-13 01:32:42

Re: Allowing remote access to specific directories

#3 2009-02-13 01:41:01

Re: Allowing remote access to specific directories

#4 2009-02-13 02:09:33

Re: Allowing remote access to specific directories

#5 2009-02-13 02:59:53

Re: Allowing remote access to specific directories

#6 2009-02-19 06:02:08

Re: Allowing remote access to specific directories

#7 2009-02-19 15:07:19

Re: Allowing remote access to specific directories

Board footer