sftp-server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sftp-server

Edgar Pettijohn III-2
I was looking into how best to secure a sftp-server.  The manual
mentions a -Q option to query protocol features supported.  I added the
following line to sshd_config.

Subsystem       sftp    /usr/libexec/sftp-server sftp -Q requests

So far I'm not sure how to get at the information provided by this
command line option.  Or am I doing it wrong?

Any insight is greatly appreciated.

Edgar

Reply | Threaded
Open this post in threaded view
|

Re: sftp-server

Jiri B-2
On Thu, Nov 30, 2017 at 05:36:57PM -0600, Edgar Pettijohn wrote:

> I was looking into how best to secure a sftp-server.  The manual
> mentions a -Q option to query protocol features supported.  I added the
> following line to sshd_config.
>
> Subsystem       sftp    /usr/libexec/sftp-server sftp -Q requests
>
> So far I'm not sure how to get at the information provided by this
> command line option.  Or am I doing it wrong?
>
> Any insight is greatly appreciated.
>
> Edgar

IMO you got confused, it is "query", it does not set anything.

Output of "-Q requests" as "requests"/actions which sftp client
can do on remote server.

An example: you want to mimic anon ftp upload server, then you
would - IIRC - open, write, lstat,... but not readdir, remote,
symlink etc...

j.

Reply | Threaded
Open this post in threaded view
|

Re: sftp-server

Edgar Pettijohn III-2
On Fri, Dec 01, 2017 at 02:59:38AM -0500, Jiri B wrote:
> On Thu, Nov 30, 2017 at 05:36:57PM -0600, Edgar Pettijohn wrote:
> > I was looking into how best to secure a sftp-server.  The manual
> > mentions a -Q option to query protocol features supported.  I added the
> > following line to sshd_config.
> >
> > Subsystem       sftp    /usr/libexec/sftp-server sftp -Q requests
> >
> > So far I'm not sure how to get at the information provided by this
> > command line option.  Or am I doing it wrong?

For future reference:

$ /usr/libexec/sftp-server -Q requests

gives the following output:

open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync

> >
> > Any insight is greatly appreciated.
> >
> > Edgar
>
> IMO you got confused, it is "query", it does not set anything.
I didn't suggest it did set anything. The other command line options
require they be set in sshd_config, so thats what I tried. Didn't click
to try on the command line. :(
>
> Output of "-Q requests" as "requests"/actions which sftp client
> can do on remote server.
>
> An example: you want to mimic anon ftp upload server, then you
> would - IIRC - open, write, lstat,... but not readdir, remote,
> symlink etc...

My end goal is similar. I want users to log in trapped in their $HOME
but be able to make directories, remove directories, upload, download,
possibly symlink. I'll just play around with it till I feel comfortable.
>
> j.
>