Monthly Archives: February 2012

SFTP/SCP without shell access on Debian

You know how it is: you’re hosting some creaky mass of PHP and SSIs on your box for historical/hysterical reasons, the site requires some kind of FTP access for its admin to edit it, and you’d rather not give them an SSH login with which to do arbitrary stuff on your machine.

For the last couple of years, I’ve used scponly (this guide) to achieve roughly the right effect, but having an essentally unmaintained chroot on my box slowly collecting security vulnerabilities felt wrong. Surely it must be possible to provide secure FTP to users without using SSH at all, and without having to maintain a chroot?

Indeeed it is. ProFTPD is a well-recognised FTP server and has a handy SFTP module, and both are conveniently packaged for Debian:

# apt-get install proftpd-basic

The documentation is pretty good; it enabled me to arrive at the config below (suck it into the main one using an include for ease of maintenance) with just the one diversion to work out why my WinSCP wouldn’t talk to it (see the protocol switching line below). In WinSCP’s defence, I am using a pretty ancient version.

# Use SFTP with the same keys as SSH
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

# Enable compression
SFTPCompression delayed

# Workaround for WinSCP bug:
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4

# Allow the same number of authentication attempts as OpenSSH.
# It is recommended that you explicitly configure MaxLoginAttempts
# for your SSH2/SFTP instance to be higher than the normal
# MaxLoginAttempts value for FTP, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6

# Only allow specifically whitelisted users (members of the ftp group)
<Limit LOGIN>
 AllowGroup ftp

Just make sure your users are in the ftp group, but not able to log in through SSHD.

Of course, with either solution you still have to worry about scripts and PHP executed by your user’s website being able to see the full filesystem of the machine, but mod_chroot and mod_suexec for Apache are both well documented and also Debian packaged.

Port forwarding with xinetd

Port forwarding with xinetd – this is really useful. I spent ages trying and failing to get an iptables-based forward from an IP address/port on machine 1 to an IP address/port on a remote machine2. I thought about writing some sick Python to forward incoming connections, but running it as root to bind the right port/IP or doing yet more iptables didn’t appeal … and then I remembered this is what xinetd is for.

So on Debian, you can apt-get install xinetd and use the config above to forward arbitrary ports (there’s also a ‘bind’ directive to specify the IP to bind to on the forwarding machine).

British Gas find a new way to annoy me…

As if they weren’t an inefficient enough organisation to deal with in other respects, today a division of British Gas asked me to send them a remittance advice to:

CardiffC&[email protected]

Yes, that really is an ampersand in the local part. Sufficiently unusual that trying to send to it upset my default-configured installation of Exim:

rejected RCPT <CardiffC&[email protected]>: restricted characters in address

You can tone down the (perfectly reasonable) check for these iffy characters by exempting from it: edit /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt and edit the domains line of the second ‘restricted characters in address’ ACL to read:

domains = !+local_domains : !


Apologies for the absence of updates here in 2012 to date. It’s been a frustrating series of false starts to the year for me, with a break-in at St Columba’s, followed closely by a cycling accident*, a nasty cold and then a stomach bug, leaving me pretty much out of the game until this week.

Happily I think I’m now back to normal, and I have a few interesting things to write about, including some pretty graphs from the new church heating system, and some ideas for the Raspberry Pi when I finally get my hands on one. Oh, and last weekend, I bought a car, so I’m back on four wheels after an eleven month absence.

Watch this space!

* Don’t drink and cycle, kids. And don’t waste any sympathy on me.