On Sat, Mar 25, 2000 at 11:38:38AM +0100, FIOL BONNIN Antonio wrote: > I believe that a chroot'ed ftp may work well for you, as long as you do > not allow ssh users to log in the ftp, nor the ftp users log in the ssh.
for ftp only yes chroot works quite well. its when you combine shell access and quick file transfer (say for users maintaining a web site or portion of one) > > separate chroot'ed ftp, and user password changing via chroot'ed telnetd. > You setup the user's shell to /bin/passwd and that should be it. (Never > tested). hmm, this might work but means blowing a second account on every shell user needing file transfer abilities. and there is no way to keep them from setting both passwords the same making the entire setup useless. > You won't get security if users do not accept it. However, you can propose > them the solution I told you (chroot ftp+telnet/passwd), telling them that > they have NO security at all on their files stored there. if they are maintaining a web site they generally don't care if everyone can access thier files, everyone already can over on port 80... when it comes to compromising the entire system by sending shell passwords over the net in clear with ftp, they don't care if it means giving up ftp altogether... afterall its not thier problem if the system gets cracked and has to be rebuilt... (users are so annoying <g>) i suppose the only solution until (if) a secure ftp comes along is to be a total BOFH and simply say scp or die, if one can get away with it anyway ;-) > Install a good log-parser to analyze everything that happens, and if you > see something strange... well just analyze them yourself by hand ;) i need to check out logparsers again, lastime i tried logcheck i ended up dumping it since i got tired of mail delivery being considered suspicious ;-) (didn't have time to rewrite all the rules..) > Antonio > -- Ethan Benson http://www.alaska.net/~erbenson/
