Re: sftponly
From: Dan Gapinski (DanGapinski_at_qsi-r2.com)
Date: 06/23/03
- Previous message: Miguel Camargo: "How can i Use DSA instead of RSA?"
- In reply to: Tim Greer: "Re: sftponly"
- Next in thread: Tim Greer: "Re: sftponly"
- Reply: Tim Greer: "Re: sftponly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Tim Greer" <chatmaster@charter.net>, <filipi@em.pucrs.br>, "Yukinori Shishime" <yuki@mbc.ocn.ne.jp> Date: Mon, 23 Jun 2003 08:59:03 -0500
I agree - chrooting is a good practice, and I wouldn't set SSH up without
it. However, adding a specific shell like SCPonly or RSSH is what (see
http://www.bpfh.net/simes/computing/chroot-break.html for more info on
breaking out of chroot jails) really makes remote file transfer solid when
you pair them with a chroot jail.
I might recommend the following sites to look at:
www.tjw.org/chroot login/
www.linux-mag.org/cgi-bin/printer.pl?issue=2002&article=chroot
you can also look at the chroot jail project, but I never had limited
success with it:
http://www.gsyc.inf.uc3m.es/~assman/jail/
My best,
Dan
----- Original Message -----
From: "Tim Greer" <chatmaster@charter.net>
To: <filipi@em.pucrs.br>; "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
Sent: Saturday, June 21, 2003 5:27 PM
Subject: Re: sftponly
> I would, instead, recommend a solid chroot/jail for SSH access, rather
than
> only sftp/scp, etc. Of course they can do more with SSH access, but they
> could have a CGI/PHP, etc. script do the rest for them without SSH access
at
> all anyway. Basically,m a secure system being secure, you shouldn't worry
> about SSH access or not--being if SSH access allows someone to compromise
> your system/server, they could just as easily use other methods. SSH
chroot
> can make it so the newbies can't snoop around so much, but really, I'd not
> worry about it as much as the security of the system itself anyway.
> --
> Regards,
> Tim Greer chatmaster@charter.net
> Server administration, security, programming, consulting.
>
> ----- Original Message -----
> From: "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
> To: <filipi@em.pucrs.br>
> Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> Sent: Saturday, June 21, 2003 4:08 AM
> Subject: Re: sftponly
>
>
> > Hi,
> >
> > > From: "Filipi D. Vianna" <filipi@em.pucrs.br>
> > > Subject: sftponly
> > > Date: Fri, 20 Jun 2003 12:19:01 +0300
> > > Message-ID: <3EF2D185.5040202@em.pucrs.br>
> >
> > > Hi,
> > >
> > > I'm using a Linux Box, with OpenSSH_3.5p1 with the subsytem
> > > sftp to file transfers and AllowUsers to limitate the users
> > > that can log in.
> > >
> > > All these uses have /bin/bash set as their login shell.
> > >
> > > But I want that some of them have only sftp, not shell.
> > > How can I do that?
> > >
> > > I didn't found anything that helps.
> > >
> > > Regards,
> > > Filipi Vianna
> > >
> >
> > Recently, same questions were posted in this ML.
> > See:
> > Subject: allow only sftp?
> >
http://www.securityfocus.com/archive/121/318568/2003-04-09/2003-04-15/1
> >
> > Subject: SFTP without SSH session access
> >
http://www.securityfocus.com/archive/121/324131/2003-06-02/2003-06-08/1
> >
> > Regards,
> > Yuki
> >
>
>
- Previous message: Miguel Camargo: "How can i Use DSA instead of RSA?"
- In reply to: Tim Greer: "Re: sftponly"
- Next in thread: Tim Greer: "Re: sftponly"
- Reply: Tim Greer: "Re: sftponly"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
