From: david-sarah Date: Thu, 22 Mar 2012 22:04:53 +0000 (+0000) Subject: Put SFTP before FTP in various docs. fixes #1692 X-Git-Url: https://git.rkrishnan.org/pf/content/en/seg/-?a=commitdiff_plain;h=5495b2aead939887762ba6f5e1335cbf8a4313ac;p=tahoe-lafs%2Ftahoe-lafs.git Put SFTP before FTP in various docs. fixes #1692 --- diff --git a/docs/configuration.rst b/docs/configuration.rst index 8999150f..2425500b 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -396,12 +396,12 @@ CLI filesystem, uploading/downloading files, and creating/running Tahoe nodes. See ``_ for details. -FTP, SFTP +SFTP, FTP - Tahoe can also run both FTP and SFTP servers, and map a username/password + Tahoe can also run both SFTP and FTP servers, and map a username/password pair to a top-level Tahoe directory. See ``_ - for instructions on configuring these services, and the ``[ftpd]`` and - ``[sftpd]`` sections of ``tahoe.cfg``. + for instructions on configuring these services, and the ``[sftpd]`` and + ``[ftpd]`` sections of ``tahoe.cfg``. Drop-Upload diff --git a/docs/frontends/FTP-and-SFTP.rst b/docs/frontends/FTP-and-SFTP.rst index deb95a7b..ed881be6 100644 --- a/docs/frontends/FTP-and-SFTP.rst +++ b/docs/frontends/FTP-and-SFTP.rst @@ -6,8 +6,8 @@ Tahoe-LAFS FTP and SFTP Frontends 2. `Tahoe-LAFS Support`_ 3. `Creating an Account File`_ 4. `Running An Account Server (accounts.url)`_ -5. `Configuring FTP Access`_ -6. `Configuring SFTP Access`_ +5. `Configuring SFTP Access`_ +6. `Configuring FTP Access`_ 7. `Dependencies`_ 8. `Immutable and Mutable Files`_ 9. `Known Issues`_ @@ -34,11 +34,11 @@ ctime/mtime timestamps. Tahoe-LAFS Support ================== -All Tahoe-LAFS client nodes can run a frontend FTP server, allowing regular -FTP clients (like /usr/bin/ftp, ncftp, and countless others) to access the -virtual filesystem. They can also run an SFTP server, so SFTP clients (like -/usr/bin/sftp, the sshfs FUSE plugin, and others) can too. These frontends -sit at the same level as the web-API interface. +All Tahoe-LAFS client nodes can run a frontend SFTP server, allowing regular +SFTP clients (like ``/usr/bin/sftp``, the ``sshfs`` FUSE plugin, and many +others) to access the virtual filesystem. They can also run an FTP server, +so FTP clients (like ``/usr/bin/ftp``, ``ncftp``, and others) can too. These +frontends sit at the same level as the web-API interface. Since Tahoe-LAFS does not use user accounts or passwords, the FTP/SFTP servers must be configured with a way to first authenticate a user (confirm @@ -57,11 +57,11 @@ caps. Creating an Account File ======================== -To use the first form, create a file (probably in -BASEDIR/private/ftp.accounts) in which each non-comment/non-blank line is a -space-separated line of (USERNAME, PASSWORD, ROOTCAP), like so:: +To use the first form, create a file (for example ``BASEDIR/private/accounts``) +in which each non-comment/non-blank line is a space-separated line of +(USERNAME, PASSWORD, ROOTCAP), like so:: - % cat BASEDIR/private/ftp.accounts + % cat BASEDIR/private/accounts # This is a password line, (username, password, cap) alice password URI:DIR2:ioej8xmzrwilg772gzj4fhdg7a:wtiizszzz2rgmczv4wl6bqvbv33ag4kvbr6prz3u6w3geixa6m6a bob sekrit URI:DIR2:6bdmeitystckbl9yqlw7g56f4e:serp5ioqxnh34mlbmzwvkp3odehsyrr7eytt5f64we3k9hhcrcja @@ -100,37 +100,6 @@ makes it harder for attackers to brute force the password or use DNS poisoning to cause the Tahoe-LAFS gateway to talk with the wrong server, thereby revealing the usernames and passwords. -Configuring FTP Access -====================== - -To enable the FTP server with an accounts file, add the following lines to -the BASEDIR/tahoe.cfg file:: - - [ftpd] - enabled = true - port = tcp:8021:interface=127.0.0.1 - accounts.file = private/ftp.accounts - -The FTP server will listen on the given port number and on the loopback -interface only. The "accounts.file" pathname will be interpreted relative to -the node's BASEDIR. - -To enable the FTP server with an account server instead, provide the URL of -that server in an "accounts.url" directive:: - - [ftpd] - enabled = true - port = tcp:8021:interface=127.0.0.1 - accounts.url = https://example.com/login - -You can provide both accounts.file and accounts.url, although it probably -isn't very useful except for testing. - -FTP provides no security, and so your password or caps could be eavesdropped -if you connect to the FTP server remotely. The examples above include -":interface=127.0.0.1" in the "port" option, which causes the server to only -accept connections from localhost. - Configuring SFTP Access ======================= @@ -169,7 +138,7 @@ lines to the BASEDIR/tahoe.cfg file:: port = tcp:8022:interface=127.0.0.1 host_pubkey_file = private/ssh_host_rsa_key.pub host_privkey_file = private/ssh_host_rsa_key - accounts.file = private/ftp.accounts + accounts.file = private/accounts The SFTP server will listen on the given port number and on the loopback interface only. The "accounts.file" pathname will be interpreted relative to @@ -191,6 +160,37 @@ For further information on SFTP compatibility and known issues with various clients and with the sshfs filesystem, see ``_. +Configuring FTP Access +====================== + +To enable the FTP server with an accounts file, add the following lines to +the BASEDIR/tahoe.cfg file:: + + [ftpd] + enabled = true + port = tcp:8021:interface=127.0.0.1 + accounts.file = private/accounts + +The FTP server will listen on the given port number and on the loopback +interface only. The "accounts.file" pathname will be interpreted relative to +the node's BASEDIR. + +To enable the FTP server with an account server instead, provide the URL of +that server in an "accounts.url" directive:: + + [ftpd] + enabled = true + port = tcp:8021:interface=127.0.0.1 + accounts.url = https://example.com/login + +You can provide both accounts.file and accounts.url, although it probably +isn't very useful except for testing. + +FTP provides no security, and so your password or caps could be eavesdropped +if you connect to the FTP server remotely. The examples above include +":interface=127.0.0.1" in the "port" option, which causes the server to only +accept connections from localhost. + Dependencies ============ diff --git a/docs/frontends/drop-upload.rst b/docs/frontends/drop-upload.rst index d5af0750..2863b443 100644 --- a/docs/frontends/drop-upload.rst +++ b/docs/frontends/drop-upload.rst @@ -17,7 +17,7 @@ several platforms, but it currently works only on Linux. The implementation was written as a prototype at the First International Tahoe-LAFS Summit in June 2011, and is not currently in as mature a state as -the other frontends (web, CLI, FTP and SFTP). This means that you probably +the other frontends (web, CLI, SFTP and FTP). This means that you probably should not keep important data in the upload directory, and should not rely on all changes to files in the local directory to result in successful uploads. There might be (and have been) incompatible changes to how the feature is diff --git a/docs/frontends/webapi.rst b/docs/frontends/webapi.rst index 362560d2..75d98a26 100644 --- a/docs/frontends/webapi.rst +++ b/docs/frontends/webapi.rst @@ -2032,7 +2032,7 @@ When modifying the file, be careful to update it atomically, otherwise a request may arrive while the file is only halfway written, and the partial file may be incorrectly parsed. -The blacklist is applied to all access paths (including FTP, SFTP, and CLI +The blacklist is applied to all access paths (including SFTP, FTP, and CLI operations), not just the web-API. The blacklist also applies to directories. If a directory is blacklisted, the gateway will refuse access to both that directory and any child files/directories underneath it, when accessed via