sftp Newbie Questions!
From: Andrew McCall (it.andrew.mccall_at_oldham.gov.uk)
Date: 06/25/03
- Previous message: Markus Friedl: "Re: Securing ssh tunnels."
- Next in thread: Ben Lindstrom: "Re: sftp Newbie Questions!"
- Reply: Ben Lindstrom: "Re: sftp Newbie Questions!"
- Maybe reply: maf_at_appgate.com: "Re: sftp Newbie Questions!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: secureshell@securityfocus.com Date: 25 Jun 2003 11:22:01 +0100
Hi,
(This email *does* have SSH questions - I promise you! :) ) I have just
posted my scenario as it helps to understand the questions I am asking
at the bottom.
I am implementing a project to offer a free "drop-box" service for all
the schools in our area, and these are the basic requirements.
Server Requirements
===================
o The sftp should only be accessed by a single IP address (the server
has multiple IP's, and SSH is already used for other things on other
IP's)
o Upon login a message must be displayed giving a warning and some
instructions on who to contact should they run into problems
User Requirements
=================
o Each school can read and write files their own directory
o Each school can write files into other's home directories, but they
can't view or overwrite other schools files
o A single administrator can read and write into all schools directories
o The users should only by navigate /exports/sftp/ and should be
"jailed" to that directory.
o Schools only have sftp access, and no real shell.
I can do all this really easy with a normal ftp daemon such as ProFTPd
or vsFTPd, however due to the nature of the files, they have to be
transfered in an encrypted manner. I presumed (first mistake!) that
sftp was just a normal ftpd tunneled through SSL and that it would be
easy to set up.
Now after a few days of searching the net, and a few hours of reading
O'REILLY's SSH : The Secure Shell, I realise that I am wrong :)
So here are my questions:
1) How can I display a login message?
I was thinking about wrapping sftp-server into a script that echo's my
message, then run sftp-server, but I don't know if this is possible or
how secure this is.
2) How can I "jail" users to /exports/sftp?
I am not too sure if this is possible....
3) Am I correct in thinking that all my user-level security is done via
normal file permissions?
4) Can I bind sftp-server to a single IP address, but still leave
"normal" SSH running on all other IP addresses? If its not is there
anyway of installing and run a second instance of OpenSSH that only
allows sftp connections (I don't think there is due to the way that sftp
works.)
I could either use the firewall to block ports/IP's (as I will be doing
anyway) so this isn't that important....
Thanks in advance for any help offered.
-- Andrew McCall <it.andrew.mccall@oldham.gov.uk> Oldham Metropolitan Borough Council ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.oldham.gov.uk **********************************************************************
- Previous message: Markus Friedl: "Re: Securing ssh tunnels."
- Next in thread: Ben Lindstrom: "Re: sftp Newbie Questions!"
- Reply: Ben Lindstrom: "Re: sftp Newbie Questions!"
- Maybe reply: maf_at_appgate.com: "Re: sftp Newbie Questions!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
