Re: Need to SSL my ftp users.
From: Menno Duursma (menno_at_desktop.lan)
Date: Sun, 28 Mar 2004 14:58:07 GMT
On Sat, 27 Mar 2004 23:29:32 +0000, Sybren Stuvel wrote:
> yO .. enlightened us with:
>> assuming this delay is because I have it launched via inetd .. anyways ..
> Don't assume, check. Use a network sniffer if needed.
If no sniffer avaiable, some log-everything firewall rules should do:
iptables -A INPUT -j LOG
iptables -A OUPUT -j LOG
> It could be that the server does an ident query on the client computer.
> it could also be that the server tries to do a reverse DNS query.
Indeed. That would probably be "tcpwrapper" settings. Thus, in that case a
look at: /etc/hosts.deny and /etc/hosts.allow might be in order.
Maybe a "telnet" to TCP port 21 whist looking at the output of "netstat"
(on both client and server) would tell some more also.
>> Im new to how ssl works. After all this Im not sure how to get my
>> client to work with this wsftpd(windows)
Well, idunno all that much about wsftpd (or MS-Windows for that matter).
However, previous FTP-SSL draft document(s), stated the use of TCP port
990 for "ftps". Hence, WS_FTP might look for a server running there, when
setup to use SSL/TLS.
Adding a line to: /etc/inetd.conf (beginning with "ftps") and restarting
(ie: "killall -HUP inetd") should do. Provided /etc/services contains:
ftps 990/tcp # ftp protocol, control, over TLS/SSL
>> I believe Ive created a proper test cert targeting my private key. Am
>> I supposed to somehow create a public key?
> Yes. Don't exactly know how, though, since I don't use ftp (in favour of
> sftp). [ ... ]
I just read a post by J.O. Aho in this thead:
And the URL posted therein looks like it makes chrooting OpenSSH users
pretty easy, i'll have to test that, interesting... Did you use that
"jailkit" as well? TIA.