Re: openssh: Enabling sftp, but disabling ssh?



Mark Holden wrote:
I forgot to mention that we're using RHEL AS3 (currently at update 8)
and RHEL AS4 (currently at update 4). Does scponly support these
distributions?

It should do - I've used it on a number of "Redhat-like" distros.

From a quick read of the scponly web page:
- it seems to indiate that SFTP will work as well--is that actually the
case?

Yes - I've got scp and sftp working here.

- it appears to require a chroot'd environment.

Only if you want to stop users browsing through your file system. If
you're happy to rely upon file permissions, you won't need to run it in
a chroot.

If this is the case,
then I assume that the target dropbox will have to be in that users's
chroot'd environment. If so, then I assume it would make sense to
replace the global dropbox that the rest of the system/users use to be a
symbolic link to the dropbox in that user's chroot'd environment (so
they don't have to see the gory details of chroot'd environments).

I would avoid symlinking from outside the chroot as it could provide a
security vulnerability. On my system all the user areas are under the
chroot so, in theory, they can all see each others area but permissions
stop them getting very far.

You could move your global dropbox to under the chroot setup, but only
apply the chroot to scponly/rssh users. Then perhaps have a symlink
from the old location to the new.

- I assume this would be a patched to the openssh package? Or is it
simply installing the scponly shell on the system and pointing that user
id at that shell in /etc/passwd?

scponly installs as a shell; no patches, you just compile, install and
set the relevant user's shell in /etc/passwd to it.

I'm busied out with another deliverable at the moment, so will dig
deeper into what you mention below in the next coupld of days
(hopefully).

I'm on the lists for scponly and rssh too and the contributors are
usually very helpful.

By the way, the pizzashack reference seems to indicate that there are
security risks, so that concerns me. Does "scponly" have security risks
as well?

As I understand it - yes. It's entirely possible that someone could
take advantage of a currently undiscovered exploit and break free from
the chroot. But, by the same token, it is also possible that they might
take advantage of an exploit in your web- or email-server and do the same!

Take care,

Ben