I’m at my [limited] wits end!
I’ve been trying to fortify my My Book Live 3GB’s for external access by family members gradually spreading out around the globe.
I don’t like the WD2GO solution due to the lack of controls/logging, so I’ve been utilizing FTP within the MBL.
However, I feel exposed with that solution, so I’ve been trying to implement SFTP with logons for specified MBL users.
Using threads like How to Setup Secure FTP, and others, I sucessfully got it working. However, when the client software (Filezilla) connects, the user (not admin) goes to the root level of the device, not to the /shares folder. The etc/password file shows /shares as the home directory, but it’s being ignored. I love my family, but I’m not at all confortable with them being able to modify root level files!
I have configured etc/vsftpd.conf and restarted it.
Following is the vsftp.conf file I’m using.
Hopefully someone knows what I’m doing wrong! Thanks!
Turn on SSL
Allow anonymous users to use secured SSL connections Sugg: YES
All non-anonymous logins are forced to use a secure SSL connection in order to
send and receive data on data connections. Sugg: YES
All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
Permit TLS v1 protocol connections. TLS v1 connections are preferred
Permit SSL v2 protocol connections. TLS v1 connections are preferred
permit SSL v3 protocol connections. TLS v1 connections are preferred
Disable SSL session reuse (required by WinSCP)
Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
This option specifies the location of the RSA certificate to use for SSL
Hello, FTP access with third party software is not officially supported, but maybe some of the other community members can chime in and share some advice.
Thanks very much for your suggestions!
As per the instructions provided, I:
edit file /etc/ssh/sshd_config
Change “AllowUsers” line by adding user names such as:
AllowUsers root user1 user2
Optional: Set users home dir: edit file /etc/passwd
The following will set home dir to “Public”
Change from “/shares:/bin/sh” to “/shares/Public:/bin/sh”
Restart ssh deamon or reboot:
Tested ssh SFTP for a user within the home network.
The result was still the same. Configured users can connect fine in SFTP, but they are positioned at the root level, not at the /shares/Public (or at the /shares directory, where I would really like them to be).
Is there something I’m doing wrong? …or is there a missing step? …or any other suggestions?
no idea. It seems to work fine for me via ssh and sftp/scp.
can you test with SSH see if that places the user at the home dir?
I tested it with SSH.
Yes, with SSH, it positions the connection at the directory specified in the passwd file.
Now, if only I could figure out why SFTP won’t cooperate!
hmmm, make sure in filezilla you are using “sftp - ssh file transfer protocol” as the server type.
Otherwise, try a different version of Filezilla and/or another app. I am using and old version, 3.3.51 and works just fine.
Thanks for your continued suggestions.
Yes, I’m definately using the SFTP - SSH File Transfer Protocol of Filezilla.
Regarding switching versions. The reason I’m trying to implement SFTP is for security. If somebody can get at my root files if they use the latest version of Filezilla (or any particular SFTP client), that sort of defeats the purpose.
different versions refers to filezilla, 3.7.1, 3.7.2, etc. not different protocols such as sftp/scp/ftp/etc…
Now, whether they are in a different home folder, has nothing to do with the home dir. They might be able to browse to different dirs anyway when home dir is set. However, it will all depend on the permissions you provide.
But do not take my word for it, test it. try deleting, creating files, listing files, etc…
Well, I set aside some time to do as you suggested, Shabuboy.
However, when I did my first (standard) test with the settings above, it worked! I can’t explain it. Each user was positioned at the directory specified in the Passwd file, and although they could move up the hierchy, they could only modify files as specified in the MBL dashboard.
I had rebooted sshd, vsftp, and the device. Is there something else that I needed to restart (that later restarted on it’s own), or some cache that needed to be flushed? I’m at a loss - HAPPY - but at a loss!
So thank-you very much for your help!
A follow-up question, now that I’m on a roll!
Is there a way to log SFTP file transfers? I see logon messages in the sshd.log, but nothing about file transfers in it, nor in the messages file.
I tried changing the sshd_config “Subsystem sftp /usr/lib/openssh/sftp-server” line to:
Subsystem sftp /usr/lib/openssh/sftp-server -l INFO (or VERBOSE)
And restarted with: /etc/init.d/ssh restart
…but that didn’t help.
No idea, to tell you the true. Search for sftp logging on Debian. These davices run Debian Lenny.
Thanks again! That should help me narrow it down.
Did you got it working yet? I’m having the same problem here an searching for the solution
Thanks in advance!
I got it working! The solution appeared to be tot FIRST connect true root and AFTER THAT through your own created user / share to make the connection wanted. Using the login credentials both local and remote works now. I have removed the login option root from / etc / ssh / sshd_config just for safety.
How do you ensure that the other folders are not available? I want one-defined primary folder accessible. The one i log on to. Where can i determine the rights?
hmmm, my post mentions the folder permissions and home folder… not sure if you read it all.
Anyhow, the permisions will be whatever you defined in the dashboard, private vs public
How do you ensure that the other folders are not available?
- Dashboard, private vs public. The folder might be listed even if you do not have rights, but won’t be able to access it
I want one-defined primary folder accessible. The one i log on to.
- Set a home folder for SSH, see my post…
Where can i determine the rights?
- Dashboard, public vs private (and users who can access it).
Just play with it, you will get it…
Maybe i’m explaining my self wrong, or not searching to well… :smiley:
Ive got the following setup:
When logging in with the credentials especially for the share ‘Transfer’ i can go up a level in the FTP client and see the other folders. Private, Media, Public. The first 2 are not accessible which i managed true the GUI from My Book Live. The public one still is, that’s my problem. I even would prefer NO visibility of ALL of these folder and just go in that one share ‘Transfer’ without the possibility to go up to the other folders but okay…
If i should make a concession to see the folder(s) but not make them accessible, especially the Public folder, thats would be ok to.
Is this possible then please guide me the way or point me in the direction where to look
If you are looking how to hide folders, sorry no idea. I believe there was a guide somewhere in this forum how to do that. Search for it.
Otherwise, what you are looking for is for advanced Unix Admins (which I am far from…). The MBL runs Debian Lenny, good luck.