PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : ProFTPd: TLSREQUIRED für normale User, nicht aber für Anon



dackel
29.07.04, 13:45
hi

Ich stehe hier gerade vor einem kleinen Problem. Ich möchte, dass sich die User, die einen Account bei mir haben, nur mit SSL, also sftp einloggen können, der Anonymousaccount soll aber auch ohne funktionieren.
Und nun sitze ich da u. hab keine Idee, wie ich das einrichten soll.

Ich hoffe ihr könnt mir helfen.

thx


mfg
Dackel

$kuLL
29.07.04, 17:48
Aus dem TLS Howto von www.proftpd.org:


Question: Can I require TLS on a per-user basis?
Answer: Prior to ProFTPD 1.2.10rc2, no. The IETF Draft specifying FTP over TLS requires that the TLS handshake occur before the client sends the USER command. This means that the server does not know the name of the user that the client will be using when the TLS session is established. It is possible that the client's certificate, if one is even presented, may contain information the server may use to map that certificate to a user, but such mapping is not currently supported by mod_tls. Note that this is also the reason the TLSRequired directive cannot appear in the <Anonymous> context: anonymous logins are based on the USER command.

However, in 1.2.10rc2, the mod_tls module was modified to allow such per-user TLS requirements. To do this, the AllowPerUser parameter of the TLSOptions directive is used. For example, the following example mod_tls configuration allows non-SSL anonymous sessions, but requires SSL/TLS for all other sessions:

<IfModule mod_tls.c>
TLSEngine on
TLSRSACertificateFile ...
TLSCACertificateFile ...
TLSOptions AllowPerUser
TLSRequired on

<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp

RequireValidShell off

# Note how TLSRequired is set to off here in the <Anonymous> context
TLSRequired off
</Anonymous>
</IfModule>

The modification also allows mod_ifsession-based conditions, so that one can have settings like:
<IfGroup trusted>
TLSRequired off
</IfGroup>

However, there is a risk involved in using the AllowPerUser option: it causes mod_tls not to enforce TLSRequired until after the potentially sensitive USER and PASS commands have been sent by the client. This allows clients, even when TLSRequired on or TLSRequired ctrl are in effect, to send the USER and PASS commands unencrypted. Depending on your site's security needs, the ability to require SSL/TLS on a per-user basis may or may not be worth the ability to require SSL/TLS for the USER and PASS commands.

dackel
29.07.04, 18:48
super, danke, funktioniert einfach .... bueno :D