Re: sftponly

From: Tim Greer (chatmaster_at_charter.net)
Date: 06/23/03

  • Next message: Zill, Greg: "OpenSSH thru site-to-site VPN" 
    To: "Dan Gapinski" <DanGapinski@qsi-r2.com>, <filipi@em.pucrs.br>, "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
Date: Mon, 23 Jun 2003 08:47:23 -0700

    Agreed. Chrooting is not the end-all solution and can be overcome, depending
    on the variables and means, and SSH or scp only is basically a matter of
    option, provided the server is secure or what other services/interfaces you
    allow *where someone can compromise an insecure server using another one of
    those methods to get shell (emulation) anyway*. scp only does indeed serve a
    purpose, I just figure (on a secure server), you can just as safely allow
    for shell (so people can take advantage of other things too; such as scp,
    sftp, rsync, port forwarding, and so on). :-) 

    --
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
----- Original Message -----
From: "Dan Gapinski" <DanGapinski@qsi-r2.com>
To: "Tim Greer" <chatmaster@charter.net>; <filipi@em.pucrs.br>; "Yukinori
Shishime" <yuki@mbc.ocn.ne.jp>
Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
Sent: Monday, June 23, 2003 6:59 AM
Subject: Re: sftponly
> I agree - chrooting is a good practice, and I wouldn't set SSH up without
> it. However, adding a specific shell like SCPonly or RSSH is what (see
> http://www.bpfh.net/simes/computing/chroot-break.html for more info on
> breaking out of chroot jails) really makes remote file transfer solid when
> you pair them with a chroot jail.
>
> I might recommend the following sites to look at:
> www.tjw.org/chroot login/
> www.linux-mag.org/cgi-bin/printer.pl?issue=2002&article=chroot
> you can also look at the chroot jail project, but I never had limited
> success with it:
> http://www.gsyc.inf.uc3m.es/~assman/jail/
>
>  My best,
> Dan
> ----- Original Message -----
> From: "Tim Greer" <chatmaster@charter.net>
> To: <filipi@em.pucrs.br>; "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
> Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> Sent: Saturday, June 21, 2003 5:27 PM
> Subject: Re: sftponly
>
>
> > I would, instead, recommend a solid chroot/jail for SSH access, rather
> than
> > only sftp/scp, etc. Of course they can do more with SSH access, but they
> > could have a CGI/PHP, etc. script do the rest for them without SSH
access
> at
> > all anyway. Basically,m a secure system being secure, you shouldn't
worry
> > about SSH access or not--being if SSH access allows someone to
compromise
> > your system/server,  they could just as easily use other methods. SSH
> chroot
> > can make it so the newbies can't snoop around so much, but really, I'd
not
> > worry about it as much as the security of the system itself anyway.
> > --
> > Regards,
> > Tim Greer  chatmaster@charter.net
> > Server administration, security, programming, consulting.
> >
> > ----- Original Message -----
> > From: "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
> > To: <filipi@em.pucrs.br>
> > Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> > Sent: Saturday, June 21, 2003 4:08 AM
> > Subject: Re: sftponly
> >
> >
> > > Hi,
> > >
> > > > From: "Filipi D. Vianna" <filipi@em.pucrs.br>
> > > > Subject: sftponly
> > > > Date: Fri, 20 Jun 2003 12:19:01 +0300
> > > > Message-ID: <3EF2D185.5040202@em.pucrs.br>
> > >
> > > > Hi,
> > > >
> > > > I'm using a Linux Box, with OpenSSH_3.5p1 with the subsytem
> > > > sftp to file transfers and AllowUsers to limitate the users
> > > > that can log in.
> > > >
> > > > All these uses have /bin/bash set as their login shell.
> > > >
> > > > But I want that some of them have only sftp, not shell.
> > > > How can I do that?
> > > >
> > > > I didn't found anything that helps.
> > > >
> > > > Regards,
> > > > Filipi Vianna
> > > >
> > >
> > > Recently, same questions were posted in this ML.
> > > See:
> > >   Subject: allow only sftp?
> > >
> http://www.securityfocus.com/archive/121/318568/2003-04-09/2003-04-15/1
> > >
> > >   Subject: SFTP without SSH session access
> > >
> http://www.securityfocus.com/archive/121/324131/2003-06-02/2003-06-08/1
> > >
> > > Regards,
> > > Yuki
> > >
> >
> >
>
>
  • Next message: Zill, Greg: "OpenSSH thru site-to-site VPN"

    Relevant Pages

    • Re: FTPS Server?
      ... port numbers by deep packet inspection. ... client, but the underlying SSH protocol over the network is way, way ... See the chroot configuration in the man-page for sshd_config ... recommend running a separate instance on a separate port (if firewalls ...
      (freebsd-stable)
    • Re: SSH Problem
      ... Just an update on the ssh with keys issue I had. ... I run a sftp server which chroot users to their assigned ... That disabled the keys authentication I had running on my server. ... The public key and private key are typically stored in .ssh folder under ...
      (freebsd-hackers)
    • Re: chroot SSH users.
      ... Subsystem sftp internal-sftp ... SSH in the system. ... "Make sure chroot support was compiled in" ...
      (freebsd-questions)
    • Re: [SLE] Security, ssh/vpn into a network
      ... My server is running several services, ... are http and ssh. ... I don't want to remove the firewall. ... As to chroot, I don't know it all, so can't help in truth, but I suspect it ...
      (SuSE)
    • Re: Need advice on setting of an SSH server for untrusted users
      ... > I've just set up an ssh server so that my customers can download code ... I've set up ssh so that it requires rsa authentication. ... There is a patch for openssh that will cause it to do a chroot like ... The issue with a chroot jail for ssh is that you have to hand-roll the ...
      (comp.os.linux.security)