Re: scp without sftp and ssh login

From: Nico Kadel-Garcia (nkadel@verizon.net)
Date: 04/06/03


From: Nico Kadel-Garcia <nkadel@verizon.net>
Date: Sat, 05 Apr 2003 23:09:28 GMT

William Peckham wrote:
> "Namkje" <namkje@aol.com> wrote in message
> news:20030404123428.19651.00000029@mb-cc.aol.com...
>
>>Bernd:
>>
>>I am struggling with this same issue and I was wondering if you have
>
> discovered
>
>>a solution.
>>
>>Thanks stuck
>
> I am confused. If you do not trust the user to start a session(using SSH)
> or transfer files (using sftp), why would you want to allow them to transfer
> files using scp?
>
> If they are that untrustworthy, why not run a (reasonably secured) anonymous
> FTP server? Allow upload only, only to a restricted quarantine directory.
> You can then observe, evaluate, and test any uploaded files before migrating
> them to their final destination.
>

Ahh. Been there, done that. The difficulty is that FTP passwords are
transmitted in the clear, where SCP/SSH allows the use of
authorized_keys to store only the user's public key. It also allows the
use of multiple public keys for the same account, with some modest
patches to log the "comment" field of the key for usage tracking.

People *inevitably* choose their normal user password for FTP passwords,
and complain bitterly when prevented from doing so. Using SSH/SCP/etc.
removes another way for those user passwords to be stolen.