Re: Enabling SSH only for ftp (not for telnet possible) ?

On Sun, 10 Dec 2006 21:43:55 +0000, Peter Meister wrote:

I want to offer encrypted ftp transfers to my server for some users.
The user should be able to use (win)scp to transfer files to my server.

However it is often said that granting SSH access is a security risk for telnet.

Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?

Do I need full SSH permissions to use scp?

Peter

SSH is not Telnet, all communication is encrypted. However if what you are
worried about are users logging into the system using SSH I'm not sure if
there is any way to prevent this if you've given them ssh access.

I have an ssh server for distributing code to my customers. What I did is
the following,

I dedicated an old machine (500 MHz PIII) to the task. I did a fairly
minimal install of Fedora Core to it, basically enough to run ssh and no
other servers.

I create an account for each user and I have them send me their
id_rsa.pub public key which I put in an authorized_keys file. I don't
allow password access, the only way in is via RSA authentication.

All of the users accounts have 700 access privileges so that no user can
see anything that's in another user's account.

The public key for my ssh server is not in the authorized keys files for
any other machine on my LAN, that way you can't ssh from the server to
another machine (I don't run any legacy services on my machines so ssh is
the only way to log into them).

I can ssh into my ssh server from my other machines so I can copy things
to and from my account on the server so when I do a release I copy the
release tar.gz files to my account on the ssh server. I then su to root
and copy the files to the appropriate user accounts, I then do a chmod -R
700 so that everything in /home is private.

There is probably a better way to do this, but this works for me and I'm
confident that it's secure.
.

Relevant Pages

  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
    (FreeBSD-Security)
  • Re: FreeBSD Crash without Errors, Warnings, or Panics
    ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
    (freebsd-hackers)
  • Re: Just copy the .ssh directory?
    ... By just copying the .ssh directory, ... the second account, and append your new public key to that authized_keys ... file on your server. ... > authentication to a server running linux, but I have a strange problem ...
    (comp.security.ssh)
  • Re: restrict ssh access
    ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
    (comp.security.ssh)
  • Re: SSH as root
    ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
    (SSH)