[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security problem with sftp
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: security problem with sftp
- From: Fabian Dülli <fabian_(_dot_)_duelli_(_at_)_bluewin_(_dot_)_ch>
- Date: Thu, 26 Sep 2002 21:35:51 +0200
Chris Timmons wrote:
The difference here though, is that sftp relies on ssh.
You would need ssh to be able to read a chrootuser config
file or a magic token in the home dir shell entry( /./ ).
I have seen a patch like this (unsupported by OpenSSH team)
for the portable versions, and thought about porting it over
to the OpenBSD code, but it's been bumped down on the priority
list lately. When I played with it before (OpenBSD 3.0 / OpenSSH 3.4)> not _currently_officially_ supported for good reason.
I was able to get ssh to stick in the chroot I set with the token,
but sftp would aways break out. Playing more, I could get out of ssh chroot home.
Basically the moral is: If you don't have a proper chroot environment,
with or without the *magic cookie*, ... You're screwed. It is
I believe, ftp with ssl is the better solution.
Could you press "ENTER" after circa 70 characters when you
writing e-mails? It looks very terrible...
David Maez wrote:
> This has been covered before.
> Search the archives, but I believe the short answer is to
> set the users' shells to /<path>/sftp-server
> They can now sftp, but they can't ssh in.
yeah, very good!
they change now their directory
to other home directories and download their web-files
with users and passwords data...
Isn't there a config-file like ftpchroot for sftp?