AW: sftponly

• Previous message: Jerry: "Re: How can i Use DSA instead of RSA?"
• Next in thread: Ben Lindstrom: "Re: AW: sftponly"
• Reply: Ben Lindstrom: "Re: AW: sftponly"
• Reply: Atro Tossavainen: "Re: sftponly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: chatmaster@charter.net, DanGapinski@qsi-r2.com, filipi@em.pucrs.br, yuki@mbc.ocn.ne.jp
Date: Tue, 24 Jun 2003 08:17:55 +0200

Why isn't it possible to use an mechanism like it is provided with the open source software proftpd for ftp?
This server sets up virtual ftp servers and accounts, doesn't use the /etc/passwd for the user administration and has the
possibility to simulate the home directory for each user as the root directory. There is no possibility for the user to break out.
I know that the SFTP and SCP are just subprocesses of ssh, but perhaps there is a possibility in the future to change the working mechanism of the sftp/scp servers in order to support such features. In my opinion, what we have at this time with the sftp server is very basic.

Regards

Michael Eisele

T-Systems International GmbH
Computing & Desktop Services
BusinessConnect Services BCS/C

Postanschrift: Postfach 100258, D-70746 Leinfelden-Echterdingen
Hausadresse: Fasanenweg 11, D-70771 Leinfelden-Echterdingen

Telefon: +49 (711) 972 - 49490
Telefax: +49 (711) 972 - 95949
E-Mail: michael.eisele@t-systems.com
Internet: http:://www.t-systems.com

> -----Ursprüngliche Nachricht-----
> Von: Tim Greer [mailto:chatmaster@charter.net]
> Gesendet: Montag, 23. Juni 2003 17:47
> An: Dan Gapinski; filipi@em.pucrs.br; Yukinori Shishime
> Cc: secureshell@securityfocus.com; yuki@mbc.ocn.ne.jp
> Betreff: Re: sftponly
>
>
> Agreed. Chrooting is not the end-all solution and can be
> overcome, depending
> on the variables and means, and SSH or scp only is basically
> a matter of
> option, provided the server is secure or what other
> services/interfaces you
> allow *where someone can compromise an insecure server using
> another one of
> those methods to get shell (emulation) anyway*. scp only does
> indeed serve a
> purpose, I just figure (on a secure server), you can just as
> safely allow
> for shell (so people can take advantage of other things too;
> such as scp,
> sftp, rsync, port forwarding, and so on). :-)
> --
> Regards,
> Tim Greer chatmaster@charter.net
> Server administration, security, programming, consulting.
>
>
> ----- Original Message -----
> From: "Dan Gapinski" <DanGapinski@qsi-r2.com>
> To: "Tim Greer" <chatmaster@charter.net>;
> <filipi@em.pucrs.br>; "Yukinori
> Shishime" <yuki@mbc.ocn.ne.jp>
> Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> Sent: Monday, June 23, 2003 6:59 AM
> Subject: Re: sftponly
>
>
> > I agree - chrooting is a good practice, and I wouldn't set
> SSH up without
> > it. However, adding a specific shell like SCPonly or RSSH
> is what (see
> > http://www.bpfh.net/simes/computing/chroot-break.html for
> more info on
> > breaking out of chroot jails) really makes remote file
> transfer solid when
> > you pair them with a chroot jail.
> >
> > I might recommend the following sites to look at:
> > www.tjw.org/chroot login/
> > www.linux-mag.org/cgi-bin/printer.pl?issue=2002&article=chroot
> > you can also look at the chroot jail project, but I never
> had limited
> > success with it:
> > http://www.gsyc.inf.uc3m.es/~assman/jail/
> >
> > My best,
> > Dan
> > ----- Original Message -----
> > From: "Tim Greer" <chatmaster@charter.net>
> > To: <filipi@em.pucrs.br>; "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
> > Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> > Sent: Saturday, June 21, 2003 5:27 PM
> > Subject: Re: sftponly
> >
> >
> > > I would, instead, recommend a solid chroot/jail for SSH
> access, rather
> > than
> > > only sftp/scp, etc. Of course they can do more with SSH
> access, but they
> > > could have a CGI/PHP, etc. script do the rest for them without SSH
> access
> > at
> > > all anyway. Basically,m a secure system being secure, you
> shouldn't
> worry
> > > about SSH access or not--being if SSH access allows someone to
> compromise
> > > your system/server, they could just as easily use other
> methods. SSH
> > chroot
> > > can make it so the newbies can't snoop around so much,
> but really, I'd
> not
> > > worry about it as much as the security of the system
> itself anyway.
> > > --
> > > Regards,
> > > Tim Greer chatmaster@charter.net
> > > Server administration, security, programming, consulting.
> > >
> > > ----- Original Message -----
> > > From: "Yukinori Shishime" <yuki@mbc.ocn.ne.jp>
> > > To: <filipi@em.pucrs.br>
> > > Cc: <secureshell@securityfocus.com>; <yuki@mbc.ocn.ne.jp>
> > > Sent: Saturday, June 21, 2003 4:08 AM
> > > Subject: Re: sftponly
> > >
> > >
> > > > Hi,
> > > >
> > > > > From: "Filipi D. Vianna" <filipi@em.pucrs.br>
> > > > > Subject: sftponly
> > > > > Date: Fri, 20 Jun 2003 12:19:01 +0300
> > > > > Message-ID: <3EF2D185.5040202@em.pucrs.br>
> > > >
> > > > > Hi,
> > > > >
> > > > > I'm using a Linux Box, with OpenSSH_3.5p1 with the subsytem
> > > > > sftp to file transfers and AllowUsers to limitate the users
> > > > > that can log in.
> > > > >
> > > > > All these uses have /bin/bash set as their login shell.
> > > > >
> > > > > But I want that some of them have only sftp, not shell.
> > > > > How can I do that?
> > > > >
> > > > > I didn't found anything that helps.
> > > > >
> > > > > Regards,
> > > > > Filipi Vianna
> > > > >
> > > >
> > > > Recently, same questions were posted in this ML.
> > > > See:
> > > > Subject: allow only sftp?
> > > >
> >
http://www.securityfocus.com/archive/121/318568/2003-04-09/2003-04-15/1
> > >
> > > Subject: SFTP without SSH session access
> > >
> http://www.securityfocus.com/archive/121/324131/2003-06-02/2003-06-08/1
> > >
> > > Regards,
> > > Yuki
> > >
> >
> >
>
>

• Previous message: Jerry: "Re: How can i Use DSA instead of RSA?"
• Next in thread: Ben Lindstrom: "Re: AW: sftponly"
• Reply: Ben Lindstrom: "Re: AW: sftponly"
• Reply: Atro Tossavainen: "Re: sftponly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]