[scponly] scponly with internal-sftp
Kaleb Pederson
kaleb.pederson at gmail.com
Tue Jun 16 23:43:32 EDT 2009
On Tue, Jun 16, 2009 at 5:00 PM, Whit Blauvelt<whit at transpect.com> wrote:
> Just a note that scponly will work for sftp in combination with OpenSSH's
> internal-sftp option without doing the OpenSSH "match group" step, and
> without having to have any files within the chroot other than etc/passwd.
I would expect /etc/passwd to be present within the chroot. I run a
cron job which rebuilds /etc/passwd within the chroot whenever I use a
shared chroot. That way I can add and remove users at will and still
have the chrooted /etc/passwd up-to-date.
> As
> for steps, instead of adding the user to the group, it's creating the
> etc/passwd within their directory, so that's about an even amount of work.
I'm not sure I understand. Are you placing it within the users home
directory or within the chroot?
> Whether this is more or less secure than the pure OpenSSH way of doing an
> sftp chroot I just plain don't know. Is it like a belt and suspenders - more
> protection - or is it just having two potential sets of vulnerabilities?
If you can get away with just SSH, then I consider it an extra chance
for vulnerabilities and breakage. I always recommend to get away with
the least amount of permissions and layers possible.
--Kaleb
More information about the scponly
mailing list