Setting up FTP users with Sharepoints

[kerim]

After reading through the forums, I figured out that to have secure FTP I needed to install pure-ftp, which I did through FINK. I also figured out (I think) how to configure it so that this is used by Apple as the default FTP client. However, I am stumped on the next step. I believe I need to set up users, directories, and permissions for FTP use - but I can't find instructions for doing this with OS X 10.2 and using the Sharepoints preference pane. Could anyone help? Thanks!

[yellow]

FWIW, sftp is already installed on OS X and is secure..

[gatorparrots]

Create a user using the default facility (System Preferences > Accounts), then edit the user's capabilities in NetInfo Manager. I recommend setting a /dev/null shell assignment and changing the FTP user's home directory to the FTP root directory, so all user's share a common home.

You may want a command line adduser tool that automates this process. If so, I recommend testuser's adduser script:
http://testuser.eshirazi.com/

[kerim]

Quote: Originally posted by yellow FWIW, sftp is already installed on OS X and is secure..

Is this something new? Why all these posts?

http://forums.macosxhints.com/showth...0915#post60915

http://forums.macosxhints.com/showth...ht=ftp+netinfo

If you are correct, and I have no way of knowing, it seems like a lot of people are wasting their time!

[kerim]

Quote: Originally posted by gatorparrots then edit the user's capabilities in NetInfo Manager

This is the part I was asking for help with. I can't figure out how to use NetInfo Manager for the life of me, and have not found a step-by-step guide anywhere. Moreover, most people simply say to use SharePoints because it will be easier, but then they don't say what you need to do in Sharepoints either.

The script on MacFora looks useful, but I'm a little hesitant because the author himself warns you not to use it because it hasn't been tested...

[kerim]

This thread:
http://forums.macosxhints.com/showth...p+user+netinfo

Has extensive instructions, but I'm wondering if this isn't overkill, considering the brief instructions provided by gatorparrots. Are all these steps necessary!?

[yellow]

Quote: kerim wrote: Is this something new? Why all these posts?

sftp? No, it's not new. sftp is secure ftp using the sshd. It behaves just like ftp, but all traffic is encrypted.

Quote: kerim wrote: If you are correct, and I have no way of knowing, it seems like a lot of people are wasting their time!

I am correct . Perhaps there is more functionality in pure-ftp that people would like. However, if encryption is your only concern, then sftp would have sufficed.

[kerim]

Quote: Originally posted by yellow sftp? No, it's not new. sftp is secure ftp using the sshd. It behaves just like ftp, but all traffic is encrypted.

Ah, I understand. The difference then is that pure-ftp behaves more like regular FTP, but simply allows you control over what directories one can access. The default FTP lacks this important feature. However, neither is encrypted.

Here is a question: Can people use a default FTP client with SFTP, or do they need special software? Which software?

[kerim]

I guess one difference between the long instructions on the other thread and gatorparrots instructions is that the other thread is for setting up "anonymous ftp", while gatorparrots is just for how to allow a single user access to a given folder.

The macfora script was from 2002 - has anyone tested it, and does it work with 10.2.6? Do you have to set anything special for the directories you want to share?

[gatorparrots]

SFTP requires that the user have a valid shell account on your system. Consider the security implications of that for a moment. You should never give a shell account to anyone unless you trust them implicitly. A shell account is quite the potential open door into you system. (FTP, on the other hand, use does not require assigning a valid shell to the connecting user.)

Also, SFTP does not support chrooting, so the user is free to wander around the filesystem, potentially mucking up things by accident. Additionally, SFTP does not support the rich features available with modern FTP daemons, such as bandwidth throttling, upload/download quotas, maximum connections, connections per IP, etc.

Overall, SFTP is highly generous in what it allows a user to do. Whatever resources are available, it makes available to the connecting user (filesystem and bandwidth). While the encryption feature is nice, this is an administrative nightmare if you have unknowledgeable users, so if you are looking for a fine level of server control, you must still look to FTP.

[gatorparrots]

Quote: Originally posted by kerim I guess one difference between the long instructions on the other thread and gatorparrots instructions is that the other thread is for setting up "anonymous ftp", while gatorparrots is just for how to allow a single user access to a given folder. The macfora script was from 2002 - has anyone tested it, and does it work with 10.2.6? Do you have to set anything special for the directories you want to share?

Yes, Jadey's thread was regarding setting up anonymous FTP. I don't recommend doing this, due to the security implications.

testuser (of Macfora) has a very nice, highly functional adduser script that has a wealth of options. It has perfect, fine control for setting up FTP-only user accounts. Unfortunately, it isn't posted at his site at the moment (because it is in beta), but you can use a functioning, slightly older version here:
http://www.macfora.com/forums/showth...&threadid=8858

*edit*
He now has his adduser script available on his site:
http://testuser.eshirazi.com/

[kerim]

I found the script on his site from the above link, and I ran it to create a new user. But I can't connect. I keep getting refused. Is there any way to test that my FTP connection is working? Perhaps I did something wrong in installing pure-ftp?

If I type "ftp 0" in the terminal it says:

Code:

ftp: connect: Connection refused
ftp>

Which isn't what I think should be happening. I turned on port forwarding in my router, opened a hole in my firewire, tried turning FTP on and off again in the system prefs. What else to try?

[kerim]

BTW, here is what my system's "FTP" file looks like:

Code:

service ftp
{
	disable = no
	socket_type     = stream
	wait            = no
	user            = root
	server          = /sw/sbin/pureftpd
	server_args     = -A -E -c 5 -C 1 -I 5 -T 25 -u 1
	groups          = yes
	flags           = REUSE
}

I copied gatorparrots from the other thread, but changed the ports (I'm using the default - which is 21 right?) and I changed the server to point to the Fink install. But I think something is wrong.

Here is the FINK package description:

Quote: pure-ftpd-1.0.14-1: Efficient, lightweight, and secure ftp server Pure FTP Server is a fast, production quality, standards-conformant FTP server based on Troll-FTPd. It has no known buffer overflows, is trivial to set up, and is especially designed for modern kernels. Features include PAM support, IPv6, chroot()ed home directories, virtual domains, built-in 'ls', FXP protocol, anti-warez system, bandwidth throttling, bounded ports for passive downloads, an LDAP backend, XML output, and more. . Usage Notes: To configure pure-ftpd you can run it manually with '/sw/sbin/pureftpd &' as root with a number of command line options. You can also set it up to run as a daemon by running 'sudo daemonic enable pure-ftpd' and disable it with 'sudo daemonic disable pure-ftpd'. . Alternatively, you can modify the xinetd settings for FTP to use pure-ftpd instead of Apple's ftpd by editing /etc/xinetd.d/ftp appropriately. This way, when you enabled FTP in the System Preferences, it will be used automatically. . Web site: http://www.pureftpd.org . Maintainer: Max Horn <max@quendi.de>

The demonic enable commands seem to work - or at least don't provide an error. but the '/sw/sbin/pureftpd &' command results in a command not found error...

I wish this stuff weren't so complicated. I've already wasted most of my day!!! But I'd like to thank everyone for their help!

[mervTormel]

if it were easy, we wouldn't call it code

it's called pure-ftpd here:

/sw/sbin/pure-ftpd

[kerim]

Amazing. That little hyphen did the trick!!! Seems to work now!

[gatorparrots]

Quote: For want of a nail a shoe was lost, for want of a shoe a horse was lost, for want of a horse a rider was lost, for want of a rider a army was lost, for want of an army a battle was lost, for want of a battle the war was lost, for want of the war the kingdom was lost, and all for the want of a little horseshoe nail. --Benjamin Franklin

[kerim]

I hope I didn't destroy any kingdoms by forgetting that hypen! (Or maybe I do ...)

[kerim]

My friend is helping me test the connection. He seems to be able to connect, but almost immediately disconnects. The problem is clearly with the port setting. I opened up port 21, but he is getting this error:

Quote: 425 Could not open data connection to port 49670: Operation timed out

Why would he bet trying to connect to port 49670 - I thought FTP was port 21? I don't want to needlessly be poking holes in my router's hardware firewall, so I'd like to understand what is going on before I do anything else.

For what its worth, here is my computer's FTP log (modified for security):

Quote: May 26 18:20:49 My-Computer pure-ftpd: (?@pool-XXX-XXX-XX-XX.nyXXX.east.verizon.net) [INFO] New connection frompool-XXX-XXX-XX-XX.nyXXX.east.verizon.net May 26 22:20:49 My-Computer pure-ftpd: (?@pool-XXX-XXX-XX-XX.nyXXX.east.verizon.net) [INFO] jsanford is now logged in May 26 22:24:14 My-Computer pure-ftpd: (user1@pool-XXX-XXX-XX-XX.nyXXX.east.verizon.net) [INFO] Logout - CPU time spent: 0.020 seconds.

[yellow]

That's not unusual for passive FTP. Unless he's using active FTP which negotiates and sends data on ports 20 & 21, it's always going to try and open a random high port to do the data transfer.

[kerim]

Quote: Originally posted by yellow That's not unusual for passive FTP. Unless he's using active FTP which negotiates and sends data on ports 20 & 21, it's always going to try and open a random high port to do the data transfer.

If it is random, how do I know which one to poke a hole for in my firewall?