I’d appreciate any thoughts anyone has on MySecureShell.
I used it about eight years ago, and it was exactly what I wanted. I know I can create a sftp chroot jail using OpenSSH, but MySecureShell has additional features I really like.
I like that the config is all in one place. I like that the user can only use sftp and only sees a specified directory and it’s contents. I like that I can limit simultaneous connections and rate limit the bandwidth over all and per user. It’s compatible with fail2ban and ssh keys (instead of username-password login).
Unfortunately, it looks like the last update was five years ago. I guess this could mean it’s mature and secure, but I’m not sure.
The last reply in mysecureshell/Issues was this year, but it was not by the maintainer. The maintainer, deimosfr, is still active on github, having contributed last in December, 2024. User Teka101 has contributed to the project at least once and last replied to an issue a year ago.
The documentation says it’s for 1.33, but the version in the Ubuntu repo is 2.0
I’m on a much faster connection now, so I guess I could live without the limiting functionality.
I guess I’m looking for any reasons I should or should not consider using MySecureShell again. It’ll just be for half a dozen friends for when I want to give them larger files, or if I want them to send me full-resolution photos.
I’m on Xubuntu 24.04 and would open a port on my router to allow connections (some high number mapped to 22 on this machine), or possibly give my friends access to my LAN via WireGuard but limit it to this machine.
I would look into containers and sandboxing. You can use tools like podman, bubblewrap and systemd to isolate software. I’m not sure what you are looking for exactly.
Firstly, you may also be interested in: https://containerssh.io/v0.5/
This is a similar software, but maintained. However, it doesn’t look like you limit networking with the Docker backend, beyond a simple on/off.
An even simpler solution, is to have the the ssh entry command not be the usual shell command (
/bin/bash), but rather a command that starts a shell within a container. So something like:podman run -it --rm -v "-v /HOST-DIR:/CONTAINER-DIR" docker.io/library/debian:bookworm bashwould create a shell inside a short lived debian container (that is deleted upon disconnect) where a host directory is mounted inside the container.As for mysecureshell, I would assume that since it is in the Ubuntu repos, it is still being maintained. But it’s possible, since it is unmaintained that there are unknown security vulnerabilities or other issues, but:
It’ll just be for half a dozen friends for when I want to give them larger files, or if I want them to send me full-resolution photos.
If it’s just for your friends, it may be okay to use a less secure solution if you trust them.
As an alternate solution: since you are looking for some sort of file searching, perhaps you could host an app explicitly designed for that, like Seafile or Nextcloud.
Thank you. These are all great ideas. Looks like I’ve got more reading to do :)
Have you looked at the mod_sftp for ProFTPd? It seems like ProFTPd is alive and well, despite its official site not supporting HTTPS! It seems like mod_sftp supports most of the SSH/SFTP-specific features, whereas ProFTPd may also offer additional features that complement the mod_sftp module. All in all, probably not a 100% match, and definitely not a drop-in replacement, but at least a seemingly viable/supported alternative?
Thank you. I’ll take a look.
Solution for what? What’s your use case?
Solution for the problems it was created to solve. Or does it just introduce more problems, and OpenSSH (or something else) is better.
My use case was a bit spread out:
… sftp chroot jail
… config is all in one place.
… limit simultaneous connections and rate limit the bandwidth over all and per user.
… I guess I could live without the limiting functionality.
…It’ll just be for half a dozen friends for when I want to give them larger files, or if I want them to send me full-resolution photos.
Doesn’t openssh support all of those?
Clarification: I think it should. I personally used bubblewrap when I was doing something similar.
I don’t know if it supports per-user limits on connections and upload/download bandwidth.
