[scponly] scponly 4.2 released (IMPORTANT SECURITY FIXES)

csnyder chsnyder at gmail.com
Thu Dec 22 12:31:55 EST 2005 

On 12/22/05, Kaleb Pederson <kpederson at mail.ewu.edu> wrote:
> On Thursday 22 December 2005 8:54 am, csnyder wrote:
> > On 12/22/05, user <user at dhp.com> wrote:
> [snip]
> > > So ... do I understand correctly - the scponly shell does not support scp
> > > by default anymore ?
> > >
> > > If the default does not support scp and rsync, does that mean 0% of all
> > > scponly admins will ever install the default ?  What would you do with
> > > the default install ?
> >
> > ... and maybe it should be named "sftponly" now?
>
>
> Perhaps there is a misunderstanding?
>
> $ ./configure --help | egrep "scp|rsync"
> `configure' configures scponly 4.2 to adapt to many kinds of systems.
>   --enable-winscp-compat  enable winscp (and scp) compatibility
>   --enable-scp-compat     enable scp compatibility
>   --enable-rsync-compat   enable rsync compatibility
>                           install chrooted binary 'scponlyc'
>
> That seems like a far cry from sftponly?  Just a change to the default?  Don't
> most sysadmins look at the help before they install?

Well, yes... if they install by hand. But many use package managers or
ports collections, and a change in default compatibility can throw a
wrench into that. Not a big wrench, just an annoying one.


> > I believe in "secure by default" but this seems like it might be
> > taking it a little too far. Is disabling scp really the only way to
> > accomplish this?
>
> Isn't this like turning off all the services on a Linux box that you deliver
> to someone?  They have the option of turning on the "service" if they want.
>

I was thinking it was more like delivering a Linux box with networking
disabled. :-)

If you tell me that scp is dangerous because of the -S switch, and
that scponly has no way to prevent a crafty user from invoking another
executable from the command line, then I will sigh, shake my head, and
consider disabling scp at the risk of breaking my users' routines. But
before I go through that (not a minor change, by the way) I thought
I'd ask if it's *really* unsafe to have scp enabled.

And if it's not, or disabling it is an enhancement to security (rather
than a necessity for secure operation itself), then why change the
default compatibilty?

More information about the scponly mailing list