Re: Zusätzliche SSH/SFTP Nutzer
Posted: Sat 1. Aug 2020, 10:58
Anscheinend mache ich wirklich was falsch, habe es gestern noch mal versucht aber, daran immer noch gescheitert.
Das offizielle KeyHelp Forum der Keyweb AG / The official KeyHelp forum of Keyweb AG
https://community.keyhelp.de/
Code: Select all
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPAuthMethods password # keyboard-interactive
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
# SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
SFTPCompression delayed
</IfModule>
Code: Select all
cp /etc/ssh/ssh_host_rsa_key /etc/proftpd/ssh_host_rsa_key
Passt schon, das ist hier ja bald nen endlos Thema , von daher , lieber ne Übergangslösung posten bevor es garkeine Ruhe gibt.
Purer Verdacht, aber schau mal service proftpd status ob dich da was nicht übersehbares rotes anspringt.Demon wrote: ↑Sat 1. Aug 2020, 20:19 Naja, spätestens dann. Wenn Alexander seine eigene Lösung gefunden hat und in KeyHelp implemtiert hat, wäre Ruhe
Mein Problem ist gerade:
Will ich normales FTP noch dazu, klappt SFTP wieder nicht..
Und ich habe mich genau an dem Link, was du zusätzlich gepostet hast gehalten.
Code: Select all
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "server1.domain.de FTP-Server"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
#Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 30000 30500
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
<VirtualHost 0.0.0.0>
Port 210
TLSEngine on
</VirtualHost>
<VirtualHost 0.0.0.0>
Port 214
TLSOptions UseImplicitSSL
</VirtualHost>
Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
Port 211
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPAuthMethods password # keyboard-interactive
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
# SFTPAuthorizedUserKeys file:../etc/ssh/authorized_keys
SFTPCompression delayed
# MaxLoginAttempts 6
</VirtualHost>
</IfModule>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
# Limit KeyHelp usergroup
<Limit LOGIN>
DenyGroup OR keyhelp_noftp keyhelp_suspended
</Limit>
Code: Select all
2020-08-01 21:36:40,133 mod_sftp/1.0.0[785]: sent server version 'SSH-2.0-mod_sftp'
2020-08-01 21:36:40,165 mod_sftp/1.0.0[785]: received client version 'SSH-2.0-WinSCP_release_5.17.7'
2020-08-01 21:36:40,165 mod_sftp/1.0.0[785]: handling connection from SSH2 client 'WinSCP_release_5.17.7'
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session key exchange: ecdh-sha2-nistp256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session server hostkey: ssh-rsa
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session client-to-server encryption: aes256-ctr
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session server-to-client encryption: aes256-ctr
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session client-to-server MAC: hmac-sha2-256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session server-to-client MAC: hmac-sha2-256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session client-to-server compression: none
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]: + Session server-to-client compression: none
2020-08-01 21:36:40,397 mod_sftp/1.0.0[785]: sending acceptable userauth methods: password
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: client sent SSH_MSG_IGNORE message (99 bytes)
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: no account for user 'user1_ftp1' found
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: sending userauth failure; remaining userauth methods: password
2020-08-01 21:36:42,590 mod_sftp/1.0.0[785]: disconnecting client (received EOF)
Code: Select all
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "server1.domain.de FTP-Server"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 30000 30500
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on
# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime. If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
Port 211
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPAuthMethods password # keyboard-interactive
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
# SFTPAuthorizedUserKeys file:../etc/ssh/authorized_keys
SFTPCompression delayed
Include /etc/proftpd/sql.conf
DefaultRoot ~
</VirtualHost>
</IfModule>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
# Limit KeyHelp usergroup
<Limit LOGIN>
DenyGroup OR keyhelp_noftp keyhelp_suspended
</Limit>
Das stimmt teilweise. Wenn Verzeichnisse entsprechende Dateiberechtigungen ausweisen, können diese Nutzer natürlich auch nicht in sie schauen.Wenn ein Benutzer SSH Berechtigung hat kann er in fremde Verzeichnisse schauen.
Benutzer: Ja, Projekte: Neinsehen welche anderen Benutzer/Projekte auf dem Server sind
durch Vergleichen der Dateigröße z.B. die Version ablesen und einen Hack starten
Er kommt wie gesagt nicht in die entsprechenden Ordner, das würde also nicht funktionieren.versteckte Dateien finden und diese falls im Webroot über Browser abrufen
Wenn FTP zum Einsatz kommt, kommt er nicht aus seinem Home-Verzeichnis, korrekt.Wenn ein Benutzer FTP Berechtigung hat kann er das nicht, aber die Verbindung ist unverschlüsselt. FTP Berechtigung !=SFTP
Es gab mal im Forum einen Workaround (siehe weiter oben), wäre aber aktuell noch "am KeyHelp vorbei konfiguriert" und kann ich aus diesem Grund daher nicht unbedingt empfehlen.Es gibt eine nicht empfohlene Übergangslösung um sich trotzdem mit SFTP zu verbinden.
Code: Select all
nano /etc/proftpd/conf.d/sftp.conf
Code: Select all
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
Port 22
SFTPEngine on
SFTPAuthMethods password
SFTPLog /var/log/proftpd/sftp.log
# ssh-keygen -t rsa -b 4096 -C sftp.server.com
SFTPHostKey /etc/proftpd/keys/sftp_rsa
SFTPCompression delayed
MaxLoginAttempts 10
AllowOverwrite on
AllowStoreRestart on
DefaultRoot ~
# KeyHelp MySQL FTP User Backend
Include /etc/proftpd/sql.conf
</VirtualHost>
</IfModule>
Code: Select all
systemctl restart proftpd
Hallo Alexander,