Re: sftp password

From: Jem Berkes (jb_at_users.pc9.org)
Date: 06/24/05

• Next message: elliptic1_at_gmail.com: "Are the Moldovians math freaks?"
• Previous message: Allodoxaphobia: "Re: e-mails as an images"
• In reply to: Stan McCann: "sftp password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 24 Jun 2005 04:58:22 +0000 (UTC)

> I manage a server that must provide outside access for all users. Due
> to being hacked a few times on a Solaris box, I have switched over to a
> Linux system which I understand security issues on somewhat better.

That's not true. Certain Linux distributions might have safer default
installations but really any *nix system becomes eash to gain
unauthorized entry to under similar conditions. I do not think the Linux
kernel is any more secure than say the Solaris, FreeBSD or OpenBSD
kernels.

> This leaves one problem, however with sftp. Since there is a valid
> password for the user account, a person can connect to the server using
> sftp without first changing the generic password. What I would like to
> do to solve this issue is disallow connection if the password has not
> been changed.

sftp works via the subsystem, a program as defined in sshd_config e.g.
/usr/libexec/sftp-server

You can make use of the *nix security model to control access to which
users are allowed to connect via sftp. I tested this out with OpenSSH 3.9
and it worked nicely... create a group like sftpuser and then change the
permissions on the sftp-server binary accordingly.

chgrp sftpuser /usr/libexec/sftp-server
chmod 750 /usr/libexec/sftp-server

Now only members of group 'sftpuser' can sftp into your system. By
default your users won't be a member of this group, so although they can
ssh in they will not be able to sftp in. You can either manually add
confirmed users to the sftpuser group, or come up with a script solution.
A script solution might involve scanning syslog messages for indication
that a user changed their password.

-- 
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

---

• Next message: elliptic1_at_gmail.com: "Are the Moldovians math freaks?"
• Previous message: Allodoxaphobia: "Re: e-mails as an images"
• In reply to: Stan McCann: "sftp password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages How to setup STFP in solaris 8 ... I've Solaris 8 and SSH installed on one of the server. ... transfer the files which is FTP but we would like to setup the SFTP. ... (comp.security.unix) Re: SPAM sudden increase ... > Dude was on a tech call with f-secure and the tech asked, "So, ... dude is trying to FTP to their server using WSFTP. ... but I think he is talking about sftp protocol - FTP via ... (alt.2600) using java with sftp ... JCraft JSch package to SFTP files. ... //First Create a JSch session ... System.err.println("Unable to connect to FTP server. ... (comp.lang.java.programmer) Re: using java with sftp ... JCraft JSch package to SFTP files. ... //First Create a JSch session ... System.err.println("Unable to connect to FTP server. ... (comp.lang.java.programmer) Re: Pasting via ssh causes data loss ... sftp of the file to the remote and ... I then opened an ssh session to a FreeBSD ... errors shown on the interface of the server? ... (freebsd-questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2005-06