[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security problem with sftp



Chris Timmons wrote:
The difference here though, is that sftp relies on ssh. You would need ssh to be able to read a chrootuser config file or a magic token in the home dir shell entry( /./ ).

I have seen a patch like this (unsupported by OpenSSH team)

why?

for the portable versions, and thought about porting it over to the OpenBSD code, but it's been bumped down on the priority list lately. When I played with it before (OpenBSD 3.0 / OpenSSH 3.4)
I was able to get ssh to stick in the chroot I set with the token,
but sftp would aways break out. Playing more, I could get out of ssh chroot home.
Basically the moral is: If you don't have a proper chroot environment, with or without the *magic cookie*, ... You're screwed. It is
> not _currently_officially_ supported for good reason.

Chris.

I believe, ftp with ssl is the better solution. and easier...

Could you press "ENTER" after circa 70 characters when you
writing e-mails? It looks very terrible...

thanks


David Maez wrote:
 > This has been covered before.
 >
 > Search the archives, but I believe the short answer is to
 > set the users' shells to /<path>/sftp-server
 >
 > They can now sftp, but they can't ssh in.
 >

yeah, very good!
they change now their directory
to other home directories and download their web-files
with users and passwords data...

Isn't there a config-file like ftpchroot for sftp?