Topic: How to set up FTP for external users

[judgej]

I've been through all the documentation I can find, and not found the answer to this one. The options in the SME admin pages all seem very ambiguous (I just don't know what the consequences of the various FTP options are, or what they are supposed to achieve).

I basically want to provide a few FTP accounts, for use by external users to transfer files to/from my SME server (6.5).

Ideally, each user would have a password of their own and would be able to see just one directory (of their own). An administrator should be able to see, access, and modify files in all these transfer directories.

What I can't see, is where the authentication takes place. Do I need to create an i-bay for each user and put a password on each of those i-bays? Would I need to create users and allow users to FTP in/out or their own home directories (making sure they are not members of any groups providing access to any other directories on the server)? I'm just not sure how SME is designed to work.

Or - should I really be setting up a separate server for this, just to handle FTP? It is just the ability to securely FTP files back and forth that I am looking for. It is a kind of drop-zone for files.

-- JJ

[raem]

judgej

Did you miss this section of the manual ?
http://mirror.contribs.org/smeserver/contribs/bobk/SME_Manual/chpt-14.02.html

You may also be interested in the contrib that limits users access to their home folders, search for it.


> It is just the ability to securely FTP files back > and forth that I am looking for.

As the manual clearly says, ftp is not secure, you should get your users to use WinSCP or similar.

[judgej]

Yes, I did miss that in the manual. It explains quite well what the different approaches are, and the limitations of each. That has helped a lot.

Finding contributions and HOWTOs on restricting FTP/SFTP home directories etc. is another matter altogether. I think the constant flux of the project (not a bad thing) is leaving many dead links (not such a good thing), so it is quite hard to find what is available, what works and where to download it.

Anyway, just enabling FTP on the server, creating an 'ftp' user and assigning them to an 'ftp' i-bay, via an 'ftp' group, will do the trick for now.

-- JJ

[raem]

judgej

> Finding contributions and HOWTOs on restricting
> FTP/SFTP home directories etc. is another matter
> altogether.

I was aware that dungog had a contrib, see
http://www.dungog.net/sme/other.php#remote
for Shell access & Chroot FTP

Some more searching on your part would have found this relatively easily.

[raem]

judgej

get the rpms from here
http://mirror.contribs.org/smeserver/contribs/index.php?subdir=dungog%2Fpackages%2Fsmeserver%2F6.0%2Fi386%2FRPMS.dungog&sortby=name

smeserver-remoteuseraccess-1.0-1.noarch.rpm
rssh-2.2.1-2.0.rh7.dag.i386.rpm

Install them with rpm -Uvh *.rpm

and you will have a nice server manger panel to configure user access.

[judgej]

smeserver-remoteuseraccess-1.0-1.noarch.rpm
rssh-2.2.1-2.0.rh7.dag.i386.rpm

Hmmm. I've installed those. Now I can't log in as any user via FTP, after having modified them through that admin panel. I get a "530 Login Incorrect" error.

I guess I'm going to have to go searching some more...

-- Jason

PS ...and I've lost all shell access to those users.

UPDATE: so long as the bash shell is enabled, then FTP works for a user. Disabling shell access, disables the FTP access too. I'm not sure if that is how it's supposed to work, but I'm guessing not. Unfortunately FTP does not work if I just assign the restricted shell to the user. If I find a solution to this (i.e. allow FTP access for a user, restricted to an ibay or directory, without giving them shell access too, then I'll post it here).

[raem]

judgej

Did you read this ?
http://www.dungog.net/sme/other.php#remote

[judgej]

judgej

Did you read this ?
http://www.dungog.net/sme/other.php#remote

Yes, I've read that. I can't get the sftp stuff to work as advertised, so I'm stuck with FTP for now. Unfortunately the consequences of doing that, as described on that page, are, err, probably bad. As with many of the options that it seems need to be enabled to get any kind of remote access working, they are all 'bad' and should not be used.

I think this is all down to the best feature, and the main flaw with the SME server: enabling any one thing, automatically enables or creates lots of other things. That makes setting up a basic server very easy and quick. However, it does also mean that if you want to configure just a few simple services for specific users and/or purposes, then a whole load of other services come along for the ride. I guess that's just the way it is.

-- Jason

[raem]

judgej

> I can't get the sftp stuff to work...

From the server manager Remote Access panel

"Note: a secure shell sftp client can also be used to access the server, if remote access via the secure shell is enabled. This method of access protects the passwords and data of the FTP session, whereas standard FTP provides no protection"