Re: Enabling SSH only for ftp (not for telnet possible) ?

General Schvantzkoph <schvantzkoph@xxxxxxxxx> writes:

On Sun, 10 Dec 2006 21:43:55 +0000, Peter Meister wrote:

I want to offer encrypted ftp transfers to my server for some users.
The user should be able to use (win)scp to transfer files to my server.

However it is often said that granting SSH access is a security risk for telnet.

Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?

Do I need full SSH permissions to use scp?

No idea what you are talking about. ssh and telnet have nothing to do with
each other. ssh is a completely different protocol from telnet, and does
nto use telnet in any way, and vice versa.


SSH is not Telnet, all communication is encrypted. However if what you are
worried about are users logging into the system using SSH I'm not sure if
there is any way to prevent this if you've given them ssh access.

scp IS ssh. It is using ssh to copy a file from one system to the next.
scp is NOT ftp. There is a thing called sftp which uses the ftp protocol
with ssh.




I have an ssh server for distributing code to my customers. What I did is
the following,

I dedicated an old machine (500 MHz PIII) to the task. I did a fairly
minimal install of Fedora Core to it, basically enough to run ssh and no
other servers.

I create an account for each user and I have them send me their
id_rsa.pub public key which I put in an authorized_keys file. I don't
allow password access, the only way in is via RSA authentication.

All of the users accounts have 700 access privileges so that no user can
see anything that's in another user's account.

The public key for my ssh server is not in the authorized keys files for
any other machine on my LAN, that way you can't ssh from the server to
another machine (I don't run any legacy services on my machines so ssh is
the only way to log into them).

I can ssh into my ssh server from my other machines so I can copy things
to and from my account on the server so when I do a release I copy the
release tar.gz files to my account on the ssh server. I then su to root
and copy the files to the appropriate user accounts, I then do a chmod -R
700 so that everything in /home is private.

There is probably a better way to do this, but this works for me and I'm
confident that it's secure.

Sounds fine.
.

Relevant Pages

  • Kermit is good, Telnet and FTP are not bad was Re: network sniffing question
    ... >> well actually I've been always using SSH myself and all my servers use ssh. ... >> the system as root using telnet is a bad idea. ... >> I'm just trying to convice this guy that kermit and korn shell and telnet ... secure connectivity to your Telnet server. ...
    (comp.os.linux.security)
  • Re: [Full-Disclosure] Re: Re: open telnet port
    ... I don't have a backup user called test. ... that keeping another way (than ssh) into the server ... could be a valid argument for keeping a telnet running. ...
    (Full-Disclosure)
  • Re: ssh and port 22 problem, cont.
    ... But unless you actually *use* them, an open telnet port is no more ... insecure than an open ssh port. ... * users have some assurance that they're connecting to the server they ... looking for vulnerabilities or brute-forcing passwords. ...
    (Fedora)
  • Re: [SLE] Stillcant ssh or telnet
    ... Web Server, Telnet Server, and the SSH Server included in the Firewall ...
    (SuSE)
  • Re: [SLE] Stillcant ssh or telnet
    ... Web Server, Telnet Server, and the SSH Server included in the Firewall ... The Apache web server is running ok but the remote location ...
    (SuSE)