[Savannah-hackers] Re: Savannah sftp broken again: but it did not change in 5 months

[Mathieu Roy]

Jonathan Walther <address@hidden> said:

> I finally got all the pieces together and tried to create an arch
> repository on Savannah.
> 
> What did I find?  I could not.  The error looked suspiciously similar to
> one I'd seen before, one I had helped fix.
> 
> I logged in and took a look at the sshd config file.  As I suspected.
> 
> Somehow, Savannah switched back to a version of the configuration file
> that doesn't work.
> 
> Can someone please restore it to a working version.  I didn't expect a
> lot from Savannah, because I know you admins are hard working and have
> limited time because you are volunteers.
> 
> But I have ship dates to meet, or my project will lose credibility.  A
> lot of people have been contributing to Xouvert, and the success of the
> project reflects directly on them.
> 
> It is important that Savannah support sftp access.
> 
> The way Savannah is set up right now, chroot access for sftp is NOT
> possible.
> 
> Someone switched the sshd configuration to use the so-called "chroot"
> version of the sftp subsystem.  This does not work, it has never worked,
> and it CANNOT work.  Any project that wants to have an arch repository
> needs it to work, including my project.

[/etc/ssh]# stat sshd_config
  File: "sshd_config"
  Size: 2046            Blocks: 8          IO Block: 4096   Regular File
Device: 343h/835d       Inode: 495289      Links: 1    
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: Tue Sep 16 04:20:37 2003
Modify: Wed Apr  9 12:40:35 2003
Change: Tue Aug  5 09:39:47 2003

This file have not changed since April.


> sftp has never yet been compromised, and the version of ssh on Savannah
> is up to date.  The directory permissions are set correctly.  What is to
> worry about?  Noone is able to access anything with sftp they cannot
> ALREADY access with ssh.

Noone HAVE access with SSH but the Savannah administrator. That's
probably a reason why Savannah has never been compromised.

 
> Please, reenable the proper, working sftp subsystem.  It won't
> compromise system security, but what you currently have does
> compromise system usability.  I have software to ship.
> 
> I hope this can be resolved amicably and swiftly.


sftp never worked as it should, that's true (however it works for some
users). Nobody is apparently able to provide sftp working in a secure
way for the whole system and the sftp documentation is very poor.

But Savannah do not currently support arch. While if some users find a
way to use it on Savannah, there's no problem for us. 

But we cannot provide help for a service we do not offer. We plan to
offer the choice between CVS and arch and subversion, but it's still a
plan. 

And sftp is not supported either. We always knew it was somehow partly
broken but it was just an extra tool to help users unfamiliar with
rsync. It has never been designed to be a way to use arch.


So if you have a nice solution to propose, we would be glad to ear
it. Having the whole server wide browsable by savannah's users is not
an option (too risky -- sourceforge has been compromised so many times
by being so permissive). So if you have proposal to fix sftp with
chrooted/jailed access, please provide information. If you don't,
another solution is to propose a plan for the addition of arch
support.


You have a software to release, sure. But you cannot expect
unsupported tools (both sftp and arch) to be our priority
matter. Security of the whole system is the top priority matter, and
having no chroot for sftp would disregard that priority.



--
Mathieu Roy
 
  Homepage:
    http://yeupou.coleumes.org
  Not a native english speaker: 
    http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english