Yes, I guess you are right... Well, I have another question... In WS_FTP Pro there is
an option "secure (SSL)"... but it's not about sftp... what the hell that means? Is
there another way of doing FTP secure?
Joćo.
Ed Wilts wrote:
> On Thu, May 09, 2002 at 09:22:34AM -0400, Joao Borsoi Soares wrote:
> > Ed Wilts,
> >
> > I found a good and easy sollution for my problem... I think you may want to do
> > the same... I just wrote a simple C program to be my shell... I think it may be a
> > shell script also.. Take a look bellow...
>
> You found an easy solution, not a good one. Anyone with sftp access now
> has access to any world-readable file on the system, including your
> password file (although it doesn't normally contain passwords, it does
> contain a list of all valid users on your system).
>
> I said that there was no way to chroot your users, and I meant it. Any
> directory that is readable by your users is now retrievable. Any
> directory that is writable is now open to a DOS attack - for example, if
> I had an sftp account on your system, I could fill /tmp or /var/tmp. If
> /var/tmp is not on a separate partition, I've just filled /var and
> disabled all your incoming mail.
>
> Cheers,
> .../Ed
>
> >
> > #include <stdio.h>
> >
> > int main(int argc, char**argv)
> > {
> > if(argc != 3)
> > exit(1);
> >
> > if(strcmp(argv[1], "-c") == 0 &&
> > strcmp(argv[2], "/usr/libexec/openssh/sftp-server") == 0)
> > {
> > system(argv[2]);
> > exit(0);
> > }
> >
> > exit(1);
> > }
> >
> > Ed Wilts wrote:
> >
> > > On Wed, May 08, 2002 at 05:25:47PM -0400, Joao Borsoi Soares wrote:
> > > > But how can I have security with old ftp? Will I have to implement something
> > > > to handle uploads throught web interface?
> > >
> > > What kind of security are you after? What I've done for my office
> > > server is to tightly manage the ftpaccess file. Files can only be
> > > uploaded into specific directories for each user, and can only be
> > > downloaded from other specific per-user directories. Once a file is
> > > uploaded, it can not be downloaded unless someone here moves it.
> > >
> > > Yes, ftp does transmit usernames and passwords in clear text - that
> > > doesn't mean you ignore the protocol completely.
> > >
> > > Another alternative is to use something like WebFTP - this is a web
> > > interface to ftp so that you can use ftp between the file server and the
> > > web server (and they could be the same box) and ssl to the end user.
> > > I'm still testing a couple of clients and neither is perfect, but with
> > > enough tweaking, they can be made to work securely.
> > >
> > > >
> > > > Joao.
> > > >
> > > > Ed Wilts wrote:
> > > >
> > > > > On Wed, May 08, 2002 at 01:02:38PM -0400, Joao Borsoi Soares wrote:
> > > > > >
> > > > > > I have a webserver in my company running RH7.1. I need to enable my
> > > > > > clients to do FTP to their areas. But I want them to do that only
> > > > > > throught SHH (sftp). And I don't want them to be able to open a shell. I
> > > > > > tried to put /bin/false in the passwd file, but when I made it, they
> > > > > > were unable enven to do sftp. Can anyone help me?
> > > > >
> > > > > You can't do what you want. ssh doesn't support a chrooted environment
> > > > > although there are some unsupported hacks around that. Your best bet is
> > > > > good old-fashioned ftp.
>
> --
> Ed Wilts, Mounds View, MN, USA
> mailto:[EMAIL PROTECTED]
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
