From: Daira Hopwood Date: Thu, 5 Sep 2013 17:10:39 +0000 (+0100) Subject: Thu Mar 22 22:04:53 GMT 2012 david-sarah@jacaranda.org X-Git-Url: https://git.rkrishnan.org/?a=commitdiff_plain;h=24c4c8306059bd6ea100b6c3d379f49ae18dc5e9;p=tahoe-lafs%2Ftahoe-lafs.git Thu Mar 22 22:04:53 GMT 2012 david-sarah@jacaranda.org * Put SFTP before FTP in various docs. fixes #1692 --- diff --git a/docs/configuration.rst b/docs/configuration.rst index 35466e2e..811b30ea 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -396,12 +396,12 @@ CLI filesystem, uploading/downloading files, and creating/running Tahoe nodes. See ``_ for details. -FTP, SFTP +SFTP, FTP - Tahoe can also run both FTP and SFTP servers, and map a username/password + Tahoe can also run both SFTP and FTP servers, and map a username/password pair to a top-level Tahoe directory. See ``_ - for instructions on configuring these services, and the ``[ftpd]`` and - ``[sftpd]`` sections of ``tahoe.cfg``. + for instructions on configuring these services, and the ``[sftpd]`` and + ``[ftpd]`` sections of ``tahoe.cfg``. Drop-Upload diff --git a/docs/frontends/FTP-and-SFTP.rst b/docs/frontends/FTP-and-SFTP.rst index ac576743..786d2f7f 100644 --- a/docs/frontends/FTP-and-SFTP.rst +++ b/docs/frontends/FTP-and-SFTP.rst @@ -6,8 +6,8 @@ Tahoe-LAFS SFTP and FTP Frontends 2. `Tahoe-LAFS Support`_ 3. `Creating an Account File`_ 4. `Running An Account Server (accounts.url)`_ -5. `Configuring FTP Access`_ -6. `Configuring SFTP Access`_ +5. `Configuring SFTP Access`_ +6. `Configuring FTP Access`_ 7. `Dependencies`_ 8. `Immutable and Mutable Files`_ 9. `Known Issues`_ @@ -38,11 +38,11 @@ for details. Tahoe-LAFS Support ================== -All Tahoe-LAFS client nodes can run a frontend FTP server, allowing regular -FTP clients (like /usr/bin/ftp, ncftp, and countless others) to access the -virtual filesystem. They can also run an SFTP server, so SFTP clients (like -/usr/bin/sftp, the sshfs FUSE plugin, and others) can too. These frontends -sit at the same level as the web-API interface. +All Tahoe-LAFS client nodes can run a frontend SFTP server, allowing regular +SFTP clients (like ``/usr/bin/sftp``, the ``sshfs`` FUSE plugin, and many +others) to access the virtual filesystem. They can also run an FTP server, +so FTP clients (like ``/usr/bin/ftp``, ``ncftp``, and others) can too. These +frontends sit at the same level as the web-API interface. Since Tahoe-LAFS does not use user accounts or passwords, the SFTP/FTP servers must be configured with a way to first authenticate a user (confirm @@ -60,11 +60,11 @@ HTTP-based login mechanism, backed by simple PHP script and a database. Creating an Account File ======================== -To use the first form, create a file (probably in -BASEDIR/private/ftp.accounts) in which each non-comment/non-blank line is a -space-separated line of (USERNAME, PASSWORD, ROOTCAP), like so:: +To use the first form, create a file (for example ``BASEDIR/private/accounts``) +in which each non-comment/non-blank line is a space-separated line of +(USERNAME, PASSWORD, ROOTCAP), like so:: - % cat BASEDIR/private/ftp.accounts + % cat BASEDIR/private/accounts # This is a password line, (username, password, cap) alice password URI:DIR2:ioej8xmzrwilg772gzj4fhdg7a:wtiizszzz2rgmczv4wl6bqvbv33ag4kvbr6prz3u6w3geixa6m6a bob sekrit URI:DIR2:6bdmeitystckbl9yqlw7g56f4e:serp5ioqxnh34mlbmzwvkp3odehsyrr7eytt5f64we3k9hhcrcja @@ -103,37 +103,6 @@ makes it harder for attackers to brute force the password or use DNS poisoning to cause the Tahoe-LAFS gateway to talk with the wrong server, thereby revealing the usernames and passwords. -Configuring FTP Access -====================== - -To enable the FTP server with an accounts file, add the following lines to -the BASEDIR/tahoe.cfg file:: - - [ftpd] - enabled = true - port = tcp:8021:interface=127.0.0.1 - accounts.file = private/ftp.accounts - -The FTP server will listen on the given port number and on the loopback -interface only. The "accounts.file" pathname will be interpreted relative to -the node's BASEDIR. - -To enable the FTP server with an account server instead, provide the URL of -that server in an "accounts.url" directive:: - - [ftpd] - enabled = true - port = tcp:8021:interface=127.0.0.1 - accounts.url = https://example.com/login - -You can provide both accounts.file and accounts.url, although it probably -isn't very useful except for testing. - -FTP provides no security, and so your password or caps could be eavesdropped -if you connect to the FTP server remotely. The examples above include -":interface=127.0.0.1" in the "port" option, which causes the server to only -accept connections from localhost. - Configuring SFTP Access ======================= @@ -172,7 +141,7 @@ lines to the BASEDIR/tahoe.cfg file:: port = tcp:8022:interface=127.0.0.1 host_pubkey_file = private/ssh_host_rsa_key.pub host_privkey_file = private/ssh_host_rsa_key - accounts.file = private/ftp.accounts + accounts.file = private/accounts The SFTP server will listen on the given port number and on the loopback interface only. The "accounts.file" pathname will be interpreted relative to @@ -195,6 +164,37 @@ clients and with the sshfs filesystem, see wiki:SftpFrontend_ .. _wiki:SftpFrontend: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/SftpFrontend +Configuring FTP Access +====================== + +To enable the FTP server with an accounts file, add the following lines to +the BASEDIR/tahoe.cfg file:: + + [ftpd] + enabled = true + port = tcp:8021:interface=127.0.0.1 + accounts.file = private/accounts + +The FTP server will listen on the given port number and on the loopback +interface only. The "accounts.file" pathname will be interpreted relative to +the node's BASEDIR. + +To enable the FTP server with an account server instead, provide the URL of +that server in an "accounts.url" directive:: + + [ftpd] + enabled = true + port = tcp:8021:interface=127.0.0.1 + accounts.url = https://example.com/login + +You can provide both accounts.file and accounts.url, although it probably +isn't very useful except for testing. + +FTP provides no security, and so your password or caps could be eavesdropped +if you connect to the FTP server remotely. The examples above include +":interface=127.0.0.1" in the "port" option, which causes the server to only +accept connections from localhost. + Dependencies ============ diff --git a/docs/frontends/drop-upload.rst b/docs/frontends/drop-upload.rst index 4f220b51..3608acd6 100644 --- a/docs/frontends/drop-upload.rst +++ b/docs/frontends/drop-upload.rst @@ -17,7 +17,7 @@ several platforms, but it currently works only on Linux. The implementation was written as a prototype at the First International Tahoe-LAFS Summit in June 2011, and is not currently in as mature a state as -the other frontends (web, CLI, FTP and SFTP). This means that you probably +the other frontends (web, CLI, SFTP and FTP). This means that you probably should not keep important data in the upload directory, and should not rely on all changes to files in the local directory to result in successful uploads. There might be incompatible changes to how the feature is configured in diff --git a/docs/frontends/webapi.rst b/docs/frontends/webapi.rst index 63d61d97..0c69e444 100644 --- a/docs/frontends/webapi.rst +++ b/docs/frontends/webapi.rst @@ -2045,7 +2045,7 @@ When modifying the file, be careful to update it atomically, otherwise a request may arrive while the file is only halfway written, and the partial file may be incorrectly parsed. -The blacklist is applied to all access paths (including FTP, SFTP, and CLI +The blacklist is applied to all access paths (including SFTP, FTP, and CLI operations), not just the web-API. The blacklist also applies to directories. If a directory is blacklisted, the gateway will refuse access to both that directory and any child files/directories underneath it, when accessed via