Re: sftp Newbie Questions!

From: Ben Lindstrom (mouring_at_etoh.eviladmin.org)
Date: 06/25/03

  • Next message: Greg Wooledge: "Re: Passwordless SSH Logins" 
    Date: Wed, 25 Jun 2003 11:58:41 -0500 (CDT)
To: Andrew McCall <it.andrew.mccall@oldham.gov.uk>

    On 25 Jun 2003, Andrew McCall wrote:

    [..]
    > So here are my questions:
    >
    > 1) How can I display a login message?
    >
    > I was thinking about wrapping sftp-server into a script that echo's my
    > message, then run sftp-server, but I don't know if this is possible or
    > how secure this is.
    >

    SSH v2 protocol supports banners. man sshd_config look for 'Banner'

    This will however display to everyone standard ssh shell logins and sftp
    alike. There is no sftp only banner feature. And doing what you suggest
    will cause sftp not to work at all.

    > 2) How can I "jail" users to /exports/sftp?
    >
    There are a few chroot projects for OpenSSH. You may want to consider the
    chroot sftp-server patch(it is out on sourgeforge) since it would be less
    work to setup/maintain.

    I'm sure SSH Corp has something like it, but I have not looked at their
    product in years.

    > I am not too sure if this is possible....
    >
    > 3) Am I correct in thinking that all my user-level security is done via
    > normal file permissions?
    >

    Yes.

    > 4) Can I bind sftp-server to a single IP address, but still leave
    > "normal" SSH running on all other IP addresses? If its not is there
    > anyway of installing and run a second instance of OpenSSH that only
    > allows sftp connections (I don't think there is due to the way that sftp
    > works.)
    >

    No. sftp is a 'subsystem'. So restricting it that way is not possible
    since sshd has no clue it is a subsystem, shell, X11 forward, etc until
    after the user has pass authentication.

    - Ben

  • Next message: Greg Wooledge: "Re: Passwordless SSH Logins"