Secure FTP to One Directory

[mirkots]

I want to create a secure FTP to just one set of folders to be accessed over the internet, but cannot seem to find a way to do this.


More or less it will just be one folder with a few folders in it for books or files needed by laptops or tablets on the go with limited space.

I know I can just setup SSH, use a dynamic DNS, and install an FTP client on the mobile device for a secure way to connect and download. Not too hard there.

Trouble falls in allowing access only to a certain folder and not the whole thing. I'm stumped.

I apologize if this is answered somewhere, but I've looked through the forum and a few search engines with no luck.

 

[dlavigne]

You could create a dataset to contain the folders and then chroot users to that dataset: http://www.freenas.org/images/resou...8.3.1_guide.html#__RefHeading__8926_309920344.

 

[mirkots]

You could create a dataset to contain the folders and then chroot users to that dataset: http://www.freenas.org/images/resou...8.3.1_guide.html#__RefHeading__8926_309920344.

Thank you this definitely put me on the right track. Trying to adapt it to SSH with http://doc.freenas.org/index.php/SSH As I'm familiar with an sftp being pretty secure, but as far as I understand ftps is basically ftp similar to https and probably isn't as much.

Used this command:
chown username:groupname /mnt/volume/datasetfolder

And added this to extra options in SSH
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Keeps failing to connect. Now if I remove the Match Group line it connects again, but with the same issue of going right to the root directory rather then forcing things to only the remote access folder. Definitely on the right track, just missing a step somewhere I think.

 

[dlavigne]

Yes, that page has been improved since the 8.3.1 docs were released. The updated instructions on this page should get you going: http://doc.freenas.org/index.php/SSH#Chrooting_Command_Line_SFTP_Users. Let me know if a step is still missing from that version.

 

[mirkots]

Yes, that page has been improved since the 8.3.1 docs were released. The updated instructions on this page should get you going: http://doc.freenas.org/index.php/SSH#Chrooting_Command_Line_SFTP_Users. Let me know if a step is still missing from that version.

Thank you for all the help. Narrowing it down.

Changed the root directory for the user and it will automatically go to the right folder but still can move up the file path to higher access.

Still the minute I add to SSH Extra options it gives the error: Server unexpectedly closed network connection
Match Group groupname
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

 

[dlavigne]

Please post any relevant bits of /var/log/messages for when that error occurs. Is the SSH service running when you make the change or does the error occur afterwards when you try to start that service?

 

[mirkots]

Please post any relevant bits of /var/log/messages for when that error occurs. Is the SSH service running when you make the change or does the error occur afterwards when you try to start that service?

Restarted the service and the client each time I made a change so its after.

freenas sshd[55752]: fatal: bad ownership or modes for chroot directory component "/"

Seems it doesn't like chroot. Well a little closer to success.

 

[dlavigne]

That is a permissions problem. Does each user have their own dataset? Does the home directory for each user point to their dataset? The %h in that directive refers to the user's home directory.

 

[mirkots]

That is a permissions problem. Does each user have their own dataset? Does the home directory for each user point to their dataset? The %h in that directive refers to the user's home directory.

Only one user so far outside of root. Dataset just for it, though was under owner (root) Group (wheel), tried with the user/usergroup as well didn't work either.
Tried pointing the user Home right to the same location but still no go.

 

[mirkots]

Double checked how had permissions set up.
Dataset: Owner (user) root, Owner (group) wheel (same as the volume its on)
User Home set to the Dataset

This line: chown user1:user1 /mnt/volume1/user1/user1

Changes it from root/wheel to user/usergroup, perhaps that is what I'm using wrong, but the ssh direction say to do that I think. The directions also don't mention changing the home directory but set to the folder, dataset, or nothing doesn't seem to effect it getting the same error.

 

[paleoN]

What exact version of FreeNAS are you using? Start using [code][/code] tags for CLI output.

freenas sshd[55752]: fatal: bad ownership or modes for chroot directory component "/"

Check the permissions on /mnt:

Code:

ls -ld /mnt

 

[mirkots]

What exact version of FreeNAS are you using? Start using [code][/code] tags for CLI output.


Check the permissions on /mnt:

Code:

ls -ld /mnt

Code:

drwxrwxr-x 6 root wheel

Version 8.3.1 x64 r 13452 running from a usb flashdrive

 

[paleoN]

Version 8.3.1 x64 r 13452 running from a usb flashdrive

FYI, that release is quite bugged. 8.3.1-p2 includes some non-encryption related fixes as well.

Code:

mountrw /

chmod 755 /

mount -r /

Then try it again and see what it says. No need for the mount commands the second time around.

 

[mirkots]

FYI, that release is quite bugged. 8.3.1-p2 includes some non-encryption related fixes as well.

Code:

mountrw /
 
chmod 755 /
 
mount -r /

Then try it again and see what it says. No need for the mount commands the second time around.

Gave me a message about mountrw command not found. Running the rest changed it to read only, but to no effect.

I wonder if I can manage to upgrade without ending up with a situation where are my files on the drives are owned by an OS that doesn't exist afterward. This definitely smells of bugs, but I didn't want to assume with my limited experience with BSD.

 

[paleoN]

Gave me a message about mountrw command not found. Running the rest changed it to read only, but to no effect..

All those need to be run as root and mountrw is an alias:

Code:

alias

 

[mirkots]

All those need to be run as root and mountrw is an alias:

Code:

alias

Apparently I've been too stupid to figure out how to make that work either.

Its not crippling to my use of the system, but I do really want to understand things. So many years down the Windows path of ease seems to have dulled me badly, a little hard in turning around.

 

[paleoN]

Apparently I've been too stupid to figure out how to make that work either..

Wait, typing the command alias to have a list of all currently defined aliases printed out or switching to root after SSH-ing in? To switch to root your user account first needs to be added to the wheel group. Then su to root.

 

[mirkots]

Wait, typing the command alias to have a list of all currently defined aliases printed out or switching to root after SSH-ing in? To switch to root your user account first needs to be added to the wheel group. Then su to root.

Alias returned nothing when I used it in shell. Root I can have just logging in by the webui on the network and using the shell. I'm trying not to have root when logging in over the net, but it only allows me to use it if I allow it full access.

So I couldn't manage to get the shell to do what it needs to do, but I've been testing by trying to log in by sftp with a filezilla client. Probably not the smartest way, but if an ftp client can't go by ssh then its all for nothing even if ssh permissions decided to work otherwise. SSH with root works, that is kinda the problem really since its making everything root.

 

[paleoN]

So I couldn't manage to get the shell to do what it needs to do, but I've been testing by trying to log in by sftp with a filezilla client.

You need a SSH client, e.g putty, not FileZilla. The web shell is using bash and apparently doesn't have any aliases defined. If you use an actual SSH client those commands work.