Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Connection refused on ftp server behind router
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Mon Apr 21, 2014 7:09 pm    Post subject: Connection refused on ftp server behind router Reply with quote

Greetings,

I want to setup a ftp server so my dad can upload file to it.
I'm connected via modem router (dlink 6740U), when I find my global ip and try to connect to it via my computer I get this:
ftp: connect: Connection refused

here is my vsftp config:
Code:
listen=YES
local_enable=YES
anonymous_enable=NO
write_enable=YES
anon_root=/home/ftp
seccomp_sandbox=NO
vsftpd_log_file=/var/log/vsftpd.log


I've defined port forwarding in the router for port 21 but still it doesn't connect.
iptables is running but I don't see any related prints in the logs.

any ideas what can be the issue?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Apr 21, 2014 7:12 pm    Post subject: Reply with quote

Yes.

FTP is not friendly with firewalls. For example, Windows FTP will not work behind a firewall/nat setup no matter what you do.

I switched to vsftpd because it allows both secure ftp and can be configured to be firewall-friendly.

In any case you need to know what sort of firewall you have, whether you have a DMZ or not, and a few other things.

There are lots of options, you might want something else.


Last edited by 1clue on Mon Apr 21, 2014 7:13 pm; edited 1 time in total
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Mon Apr 21, 2014 7:13 pm    Post subject: Reply with quote

1clue wrote:
Yes.

FTP is not friendly with firewalls. For example, Windows FTP will not work behind a firewall/nat setup no matter what you do.

I switched to vsftpd because it allows both secure ftp and can be configured to be firewall-friendly.

In any case you need to know what sort of firewall you have, whether you have a DMZ or not, and a few other things.


fw on the router?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Apr 21, 2014 7:15 pm    Post subject: Reply with quote

Like a home router? If you don't have a public IP address and put the FTP server inside the DMZ you WILL need an ftp server that can handle the firewall setup. If it's in a DMZ then you MIGHT need special setup.

The problem is that ftp has multiple ports, and connections initiated from either side.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Mon Apr 21, 2014 8:11 pm    Post subject: Reply with quote

so it isn't the right solution for me? if so, is there another way I can allow my dad to connect and upload files to me server?
I need something simple, I do have ssh server configured to accept only local connections and I'm not sure I want to open it to the net
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Apr 21, 2014 8:21 pm    Post subject: Reply with quote

If you just want to have file transfers with your dad, then this ftp idea is a bag of angry cats. It's not terrible but it's definitely not the easiest service to use in conjunction with a home router.

If he has the ability to use ssh/scp then that's incredibly easier and probably better overall. Make an account for him on your box, tell your router to forward port 22 (for me it's in apps/gaming) and you're done.

If you would take my advice, you should expose ssh on some large port, over 5000. Most popular ports are under 5000, so the lazier hackers only scan that high. Using a nonstandard port will be just one more bit of protection for you. You can do it right inside your router, forward from 6789 to your linux box, port 22.

I would also disable root access on your ssh server, and make sure strong passwords are used for every account on that box.

At that point it's ssh -p dad@yourbox (yourbox = the public IP address of your router) to get a command line, or
scp -P dadsFile dad@yourbox:/path/to/newFile to copy the file.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14276

PostPosted: Tue Apr 22, 2014 1:49 am    Post subject: Reply with quote

With some extra work, you could run two sshd on the system. One serves the LAN and is permissive. The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Tue Apr 22, 2014 5:21 pm    Post subject: Reply with quote

1clue wrote:
If you just want to have file transfers with your dad, then this ftp idea is a bag of angry cats. It's not terrible but it's definitely not the easiest service to use in conjunction with a home router.

If he has the ability to use ssh/scp then that's incredibly easier and probably better overall. Make an account for him on your box, tell your router to forward port 22 (for me it's in apps/gaming) and you're done.

If you would take my advice, you should expose ssh on some large port, over 5000. Most popular ports are under 5000, so the lazier hackers only scan that high. Using a nonstandard port will be just one more bit of protection for you. You can do it right inside your router, forward from 6789 to your linux box, port 22.

I would also disable root access on your ssh server, and make sure strong passwords are used for every account on that box.

At that point it's ssh -p dad@yourbox (yourbox = the public IP address of your router) to get a command line, or
scp -P dadsFile dad@yourbox:/path/to/newFile to copy the file.


my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Tue Apr 22, 2014 5:23 pm    Post subject: Reply with quote

Hu wrote:
With some extra work, you could run two sshd on the system. One serves the LAN and is permissive. The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc.

interesting, can you a provide a link? is it even worthwhile? does sftp requires ftp server?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Tue Apr 22, 2014 6:00 pm    Post subject: Reply with quote

DaggyStyle wrote:
my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures?


Yes. Require a key in order to log in at all, you can say you MUST have a key AND you MUST have a password.

You could also require the host key in /etc/ssh/ssh_known_hosts, so your father's key must be there before he can login, if he has a static IP anyway. I'm not sure about if he's mobile or dhcp if it might stop working.

Your best bet is to go through hte /etc/ssh/* files and actually understand them, you know your situation best and your best defense is to understand what's going on. Turn off features you can live without, and turn on features that make you more secure.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Tue Apr 22, 2014 6:09 pm    Post subject: Reply with quote

1clue wrote:
DaggyStyle wrote:
my father uses windows, I assume that he can use winscp but I'm not to fond of opening my ssh server to the net, I do use alternative port and will assign specific user with passwd, question is, can I take more measures?


Yes. Require a key in order to log in at all, you can say you MUST have a key AND you MUST have a password.

You could also require the host key in /etc/ssh/ssh_known_hosts, so your father's key must be there before he can login, if he has a static IP anyway. I'm not sure about if he's mobile or dhcp if it might stop working.

Your best bet is to go through hte /etc/ssh/* files and actually understand them, you know your situation best and your best defense is to understand what's going on. Turn off features you can live without, and turn on features that make you more secure.


he is like me, dynamic ip.

I know that public key can allow passwd less login, can I use it for server handshake? e.g. if pub key supplied, ask for passwd, else return connection refused.
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
developer1
n00b
n00b


Joined: 29 Mar 2014
Posts: 49
Location: PL

PostPosted: Tue Apr 22, 2014 6:17 pm    Post subject: Reply with quote

There are many company which will help you setting up ftp server....
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Tue Apr 22, 2014 6:29 pm    Post subject: Reply with quote

developer1 wrote:
There are many company which will help you setting up ftp server....


if I can do it, why should I pay others?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Tue Apr 22, 2014 9:52 pm    Post subject: Reply with quote

Incorrect information, post deleted.

Last edited by 1clue on Tue Apr 22, 2014 10:20 pm; edited 1 time in total
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Tue Apr 22, 2014 10:19 pm    Post subject: Reply with quote

Here you go:

man sshd_config and search on AuthenticationMethods.

Sorry I'm hacking this all up. So you could set it to something like 'publickey,keyboard-interactive' (I think) to require a public key before even asking for a password.

I didn't test this, but you have as much info as I do right now.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14276

PostPosted: Wed Apr 23, 2014 1:44 am    Post subject: Reply with quote

DaggyStyle wrote:
Hu wrote:
With some extra work, you could run two sshd on the system. One serves the LAN and is permissive. The other serves the WAN and is very strict, allowing only the expected user account, requiring key authentication, forcing sftp, etc.

interesting, can you a provide a link? is it even worthwhile? does sftp requires ftp server?
In order: no, maybe, and no. It may be worthwhile if you want stricter controls than can be achieved using the Match blocks in a standard sshd_config file. SFTP is defined to be run over an ssh channel. It provides ftp-like services, but uses sshd for authentication and confidentiality.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Fri Apr 25, 2014 7:12 pm    Post subject: Reply with quote

based on your suggestions and google I've came up with this sshd_config:
Code:
# inner lan ssh port
Port 11111

# outer lan sftp port
Port 11113

# protocol
Protocol 2

# chrooted sftp
Match Address !10.0.0.1/24, LocalPort 11113
   Subsystem sftp internal-sftp
   ChrootDirectory /mnt/share/Downloads
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp
   AuthenticationMethods publickey,password publickey,keyboard-interactive
   AllowUsers foo

from what I understand this will limit all non local lan connections that have passed authentication as user foo to sftp session limited to /mnt/share/Downloads and listen to connections on port 11111

now I have three questions:

  1. do I have any error in file?
  2. how can I instruct chrooted sftp to use a specific key file
  3. based on the config above, I assume that user connecting as port 11113 will connect iff he is out of the lan and passes auth, what will happen if a user from within the lan will try to connect on port 11111?


Thanks
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14276

PostPosted: Fri Apr 25, 2014 11:54 pm    Post subject: Reply with quote

I see no obvious problems. There is no need to force a specific key file. It will only permit keys listed in the authorized_keys file for that user. If you are concerned, you could place the authorized_keys file in a location that the user cannot modify it. For question 3, why not try it and post back? My guess is he will not match the shown Match block, and so will be bound only by server-wide policies.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Sat Apr 26, 2014 7:18 pm    Post subject: Reply with quote

here is my current (full) file:
Code:
#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# inner lan ssh port
Port 11111

# outer lan sftp port
Port 11113

# protocol
Protocol 2

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile   .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox      # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN   ou=users,dc=phear,dc=org
#LpkGroupDN  ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkFilter (hostAccess=master.phear.org)
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3
#LpkPubKeyAttr sshPublicKey

# override default of no subsystems
Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
 
# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# allow the use of the none cipher
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

# chrooted sftp
Match Address !10.0.0.0/24, LocalPort 11113 # <== line 176
   ChrootDirectory /mnt/share/Downloads
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp
   AuthenticationMethods publickey,password publickey,keyboard-interactive
   AllowUsers foo
   AuthorizedKeysFile    /etc/ssh/sftp_authorized_keys
   ForceCommand /usr/lib/openssh/sftp-server

# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*

connection from local lan via 11111 works wee but sftp via 11113, renders this error:
Code:
Apr 26 19:27:11 NCC-5001-D sshd[8095]: fatal: reprocess config line 176: Bad Match condition


I'm not sure what I'm doing wrong, any ideas?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Sun Apr 27, 2014 7:58 pm    Post subject: Reply with quote

this code seems to work for now:
Code:
#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# inner lan ssh port
Port 11111

# outer lan sftp port
Port 11113

# protocol
Protocol 2

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile   .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox      # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN   ou=users,dc=phear,dc=org
#LpkGroupDN  ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkFilter (hostAccess=master.phear.org)
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3
#LpkPubKeyAttr sshPublicKey

# override default of no subsystems
Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
 
# disable hpn performance boosts
#HPNDisabled no

# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048


# allow the use of the none cipher
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

# chrooted sftp
Match LocalPort 11113 Address *,!10.0.0.0/24
   # session restrictions
   ChrootDirectory /mnt/share/Downloads
   AllowTCPForwarding no
   X11Forwarding no
   AllowUsers foo
   ForceCommand /usr/lib/openssh/sftp-server

   # session authentication
   AuthenticationMethods publickey,password publickey,keyboard-interactive
   RSAAuthentication yes
   PubkeyAuthentication yes

# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*

_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2562

PostPosted: Mon Apr 28, 2014 2:04 am    Post subject: Reply with quote

If your remote user is on Windows then maybe cygwin would be advised. Or putty. Both setups allow nonstandard ports.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5409

PostPosted: Mon Apr 28, 2014 6:52 am    Post subject: Reply with quote

1clue wrote:
If your remote user is on Windows then maybe cygwin would be advised. Or putty. Both setups allow nonstandard ports.

putty is the program I use when needed
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum