How to Deny User FTP Access

catnas · Apr 1, 2017

Is it possible in 9.10 to deny a particular user account access to FTP? I'm using one main (not root) user account for SMB access on my home network, and I want that user to have access to everything.

However, if that account is compromised, I don't want someone to be able to FTP into the server and get access to everything else. I've created a separate user account whose home directory is lower down in the directory structure. That resolves the issue for that user. But you can still log in with the other account(s) and get root-directory access.

Appreciate any thoughts. Thanks!

DrKK · Apr 1, 2017

You have FTP exposed to the internet? And root-level accounts that can authenticate thereto with password only?

catnas · Apr 2, 2017

DrKK said:
You have FTP exposed to the internet? And root-level accounts that can authenticate thereto with password only?

No. which is why I was asking the above question. It seems silly to run multiple FTP servers on the same system, but if the only solution is to run one inside a jail then that's what I'll have to do.

DrKK · Apr 2, 2017

I am having a great deal of trouble understanding your use case, and what's on your mind, and therefore, to understand what your question actually is. For example, what is the connection in your original post from SMB to FTP? What are you envisioning? Is the SFTP that is more-or-less built-in to SSH somehow unsatisfactory to your purpose?

It will be much easier to help you if I can understand what you're trying to do and why.

catnas · Apr 2, 2017

DrKK said:
I am having a great deal of trouble understanding your use case, and what's on your mind, and therefore, to understand what your question actually is. For example, what is the connection in your original post from SMB to FTP? What are you envisioning? Is the SFTP that is more-or-less built-in to SSH somehow unsatisfactory to your purpose?

It will be much easier to help you if I can understand what you're trying to do and why.

I want to be able to FTPS* to dump images in a folder from my DSLR when I'm traveling. I do not want to lug an external drive and risk losing irreplaceable vacation pictures if I lost the drive or it was damaged.

Ideally, I would just use the FTP service that is built into FreeNAS. However, as I mentioned above, I have noticed that--apparently--any user account that exists on the FreeNAS will be allowed to log into the FTP server when it is running. This is obviously extremely undesirable because it would allow root-level access over WAN if the account were compromised.

FreeNAS allows you to restrict users to their home directory with the chroot option:

a local user is only allowed access to their home directory unless the user is a member of group wheel

While that's all well and good for that particular user account, it doesn't go far enough because other accounts in the wheel group, root, etc., have home directories (or access) to the rest of the fileserver.

If there were a way to prevent those users from logging into the FTP, that would be the ideal solution. Otherwise, I will have to run an FTP server in a jail, which is additional work to set up.

Thanks for your reply -- hopefully the above clarifies what's going on.

*FTPS is FTP encrypted by TLS. SFTP is FTP over SSH. FreeNAS has implemented FTPS.

DrKK · Apr 3, 2017

FreeNAS has also implemented SFTP, since that is standard in any ssh daemon, sir. And *THAT* is the solution I would recommend to you.

How will you be transfering the files?

If Windows, I recommend bitvise.
If Android, I recommend ANDftp, which supports SFTP.

In any case, set your ssh service to accept only certificates, and set up a certificate for root, and then upload your photos and whatever else via the built-in SFTP on the ssh daemon, to your heart's content, and with little fear of opening up your port, or anyone seeing your files in transit.

DrKK · Apr 3, 2017

DrKK said:
FreeNAS has also implemented SFTP, since that is standard in any ssh daemon, sir. And *THAT* is the solution I would recommend to you.

How will you be transfering the files?

If Windows, I recommend bitvise.
If Android, I recommend ANDftp, which supports SFTP.

In any case, set your ssh service to accept only certificates, and set up a certificate for root, and then upload your photos and whatever else via the built-in SFTP on the ssh daemon, to your heart's content, and with little fear of opening up your port, or anyone seeing your files in transit.

Side effect: only users for which you have stored a certificate would be able to log in in the first place.

Which is what you wanted.

DrKK · Apr 5, 2017

@catnas Do let me know how it goes. I am happy to provide more verbose information on what you need to do, if that would be helpful.

catnas · Apr 7, 2017

DrKK said:
@catnas Do let me know how it goes. I am happy to provide more verbose information on what you need to do, if that would be helpful.

Thanks. I am familiar with Putty on Windows, but will be traveling with a mac laptop. I can generate the keypair in terminal on OSX, but it appears this would result in an unencrypted private key being saved on the laptop. (And, anyway, I still need a GUI SSH client for file transfer.) Are you familiar with any OSX clients that do better? I wish putty or bitvise were available on OSX...

DrKK · Apr 7, 2017

catnas said:
Thanks. I am familiar with Putty on Windows, but will be traveling with a mac laptop. I can generate the keypair in terminal on OSX, but it appears this would result in an unencrypted private key being saved on the laptop. (And, anyway, I still need a GUI SSH client for file transfer.) Are you familiar with any OSX clients that do better? I wish putty or bitvise were available on OSX...

Sir:

Typically speaking, the private key is (almost always) protected by "passphrase". That is usually an option at creation time. What that means is that even if your private key resides in on the laptop, it is "useless" to anyone unless they know your (presumably strong) passphrase. A passphrase-protected private key---while you wouldn't want to hand it out for free on the internet---is certainly well-secure as something you can carry around on a laptop. All of us (the hard core nerds) do it all the time. Just make sure your passphrase is more hack-proof than "puppies" or the Comey-special "password". "3a+Ba11zlololol69" type passphrases are probably pretty good even against a state hacker.

As for OSX, I have never actually used a Mac (of any type) ever, in my life. So I can't help you. But a quick google search indicates there is something called "rbrowser" and something else called "cyberduck" which look like decent candidates at a 5 second perusal, but I cannot vouch for those.

Glorious1 · Apr 12, 2017

For setting up keys from a Mac, you can see part of my post here https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/

Cyberduck is a great ftp client, very versatile. You can connect directly to an FTP server using the Finder's "Connect to Server" function, but I don't know if that does SFTP.

Ericloewe · Apr 12, 2017

DrKK said:
cyberduck

In retrospect, it's surprising nobody ever called cyberjock cyberduck.

DrKK · Apr 12, 2017

Ericloewe said:
In retrospect, it's surprising nobody ever called cyberjock cyberduck.

Well, he gets the "du" in duck replaced with "co" and "di" and "fu" pretty frequently, depending on whom you're talking to.

Important Announcement for the TrueNAS Community.

How to Deny User FTP Access

catnas

Explorer

DrKK

FreeNAS Generalissimo

catnas

Explorer

DrKK

FreeNAS Generalissimo

catnas

Explorer

DrKK

FreeNAS Generalissimo

DrKK

FreeNAS Generalissimo

DrKK

FreeNAS Generalissimo

catnas

Explorer

DrKK

FreeNAS Generalissimo

Glorious1

Guru

Ericloewe

Server Wrangler

DrKK

FreeNAS Generalissimo

Similar threads