Re: sftponly

From: Tim Greer (chatmaster_at_charter.net)
Date: 06/23/03

  • Next message: Zill, Greg: "OpenSSH thru site-to-site VPN"
    To: "Dan Gapinski" <DanGapinski@qsi-r2.com>, <filipi@em.pucrs.br>, "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
    Date: Mon, 23 Jun 2003 08:47:23 -0700
    
    

    Agreed. Chrooting is not the end-all solution and can be overcome, depending
    on the variables and means, and SSH or scp only is basically a matter of
    option, provided the server is secure or what other services/interfaces you
    allow *where someone can compromise an insecure server using another one of
    those methods to get shell (emulation) anyway*. scp only does indeed serve a
    purpose, I just figure (on a secure server), you can just as safely allow
    for shell (so people can take advantage of other things too; such as scp,
    sftp, rsync, port forwarding, and so on). :-)

    --
    Regards,
    Tim Greer  chatmaster@charter.net
    Server administration, security, programming, consulting.
    ----- Original Message -----
    From: "Dan Gapinski" <DanGapinski@qsi-r2.com>
    To: "Tim Greer" <chatmaster@charter.net>; <filipi@em.pucrs.br>; "Yukinori
    Shishime" <yuki@mbc.ocn.ne.jp>
    Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
    Sent: Monday, June 23, 2003 6:59 AM
    Subject: Re: sftponly
    > I agree - chrooting is a good practice, and I wouldn't set SSH up without
    > it. However, adding a specific shell like SCPonly or RSSH is what (see
    > http://www.bpfh.net/simes/computing/chroot-break.html for more info on
    > breaking out of chroot jails) really makes remote file transfer solid when
    > you pair them with a chroot jail.
    >
    > I might recommend the following sites to look at:
    > www.tjw.org/chroot login/
    > www.linux-mag.org/cgi-bin/printer.pl?issue=2002&article=chroot
    > you can also look at the chroot jail project, but I never had limited
    > success with it:
    > http://www.gsyc.inf.uc3m.es/~assman/jail/
    >
    >  My best,
    > Dan
    > ----- Original Message -----
    > From: "Tim Greer" <chatmaster@charter.net>
    > To: <filipi@em.pucrs.br>; "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
    > Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
    > Sent: Saturday, June 21, 2003 5:27 PM
    > Subject: Re: sftponly
    >
    >
    > > I would, instead, recommend a solid chroot/jail for SSH access, rather
    > than
    > > only sftp/scp, etc. Of course they can do more with SSH access, but they
    > > could have a CGI/PHP, etc. script do the rest for them without SSH
    access
    > at
    > > all anyway. Basically,m a secure system being secure, you shouldn't
    worry
    > > about SSH access or not--being if SSH access allows someone to
    compromise
    > > your system/server,  they could just as easily use other methods. SSH
    > chroot
    > > can make it so the newbies can't snoop around so much, but really, I'd
    not
    > > worry about it as much as the security of the system itself anyway.
    > > --
    > > Regards,
    > > Tim Greer  chatmaster@charter.net
    > > Server administration, security, programming, consulting.
    > >
    > > ----- Original Message -----
    > > From: "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
    > > To: <filipi@em.pucrs.br>
    > > Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
    > > Sent: Saturday, June 21, 2003 4:08 AM
    > > Subject: Re: sftponly
    > >
    > >
    > > > Hi,
    > > >
    > > > > From: "Filipi D. Vianna" <filipi@em.pucrs.br>
    > > > > Subject: sftponly
    > > > > Date: Fri, 20 Jun 2003 12:19:01 +0300
    > > > > Message-ID: <3EF2D185.5040202@em.pucrs.br>
    > > >
    > > > > Hi,
    > > > >
    > > > > I'm using a Linux Box, with OpenSSH_3.5p1 with the subsytem
    > > > > sftp to file transfers and AllowUsers to limitate the users
    > > > > that can log in.
    > > > >
    > > > > All these uses have /bin/bash set as their login shell.
    > > > >
    > > > > But I want that some of them have only sftp, not shell.
    > > > > How can I do that?
    > > > >
    > > > > I didn't found anything that helps.
    > > > >
    > > > > Regards,
    > > > > Filipi Vianna
    > > > >
    > > >
    > > > Recently, same questions were posted in this ML.
    > > > See:
    > > >   Subject: allow only sftp?
    > > >
    > http://www.securityfocus.com/archive/121/318568/2003-04-09/2003-04-15/1
    > > >
    > > >   Subject: SFTP without SSH session access
    > > >
    > http://www.securityfocus.com/archive/121/324131/2003-06-02/2003-06-08/1
    > > >
    > > > Regards,
    > > > Yuki
    > > >
    > >
    > >
    >
    >
    

  • Next message: Zill, Greg: "OpenSSH thru site-to-site VPN"

    Relevant Pages

    • Re: FTPS Server?
      ... port numbers by deep packet inspection. ... client, but the underlying SSH protocol over the network is way, way ... See the chroot configuration in the man-page for sshd_config ... recommend running a separate instance on a separate port (if firewalls ...
      (freebsd-stable)
    • Re: SSH Problem
      ... Just an update on the ssh with keys issue I had. ... I run a sftp server which chroot users to their assigned ... That disabled the keys authentication I had running on my server. ... The public key and private key are typically stored in .ssh folder under ...
      (freebsd-hackers)
    • Re: chroot SSH users.
      ... Subsystem sftp internal-sftp ... SSH in the system. ... "Make sure chroot support was compiled in" ...
      (freebsd-questions)
    • Re: [SLE] Security, ssh/vpn into a network
      ... My server is running several services, ... are http and ssh. ... I don't want to remove the firewall. ... As to chroot, I don't know it all, so can't help in truth, but I suspect it ...
      (SuSE)
    • Re: Need advice on setting of an SSH server for untrusted users
      ... > I've just set up an ssh server so that my customers can download code ... I've set up ssh so that it requires rsa authentication. ... There is a patch for openssh that will cause it to do a chroot like ... The issue with a chroot jail for ssh is that you have to hand-roll the ...
      (comp.os.linux.security)