0

I am serving a private Debian package repository via SFTP to handle Access for users.

Now on the client side I would like to do:

deb sftp://user@host: ...

But there is no SFTP method available only ssh (and http etc.). But this would mean I have to allow shell login, which is a thing I would like to avoid.

I found this bug (8 Years old) which describes exactly what I am trying to achieve, but it seems abandoned.. Is there a solution/workaround?

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Finn
  • 209
  • 2
  • 14
  • Put up a web server? This ssh method looks ridiculous. It probably predates sftp and most people probably have no idea it even exists. Or, you could reimplement the functionality correctly. – Michael Hampton Aug 21 '18 at 13:02
  • The problem with using authentification via https is, that you have to put the password into sources.list. Or do you know a solution which avoids this? Also ssh has the advantage, that you can easily send around the pupkeys without breaking any security rules. But with username:htaccesspw this is not the case :( – Finn Aug 21 '18 at 13:07
  • Do you really need user/pass authentication? Is not sufficient to restrict to IP addresses inside your network? – Michael Hampton Aug 21 '18 at 13:09
  • Authentification is crucial, since this should be the repo our customers should use to get our software+updates. And if they drop out from subscription the access should vanish. I am now using ssh and a chroot jail with only the commands used by methods/rsh and then mount in the repo. This is a bit hacky for the moment but at least a working solution. – Finn Aug 21 '18 at 13:22
  • As far as I can tell the SSH method "only" uses two commands on the remote server, `find` and `dd` if you use key based authentication you can *maybe* use the `command=` option in the authorized_keys file to restrict the level of access is granted with a specific public_key to those commands but that's the best you're going to get. That doesn't appear very robust. https://serverfault.com/q/749474/37681 – HBruijn Aug 21 '18 at 13:23
  • 3
    You're aware that the https password can be stored in [`/etc/apt/auth.conf`](https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html) instead? This was designed to solve that problem. – Michael Hampton Aug 21 '18 at 13:24

0 Answers0