[scponly] scponly security issues with WinSCP compatability
Ralf Durkee
rd at rd1.net
Sun Feb 13 14:14:19 EST 2005
At 04:19 PM 2/12/2005, John M. Lauck wrote:
>Thanks a lot Chad!
>
>I'll give it a try and post my results. I have one question though: Are
>there specific security issues with leaving WinSCP compatibility enabled?
>
>John
Security best practice is to enable only what's necessary, and enable the
services with the least risk. My recommendation is disable everything
except the sftp protocol. As already stated the winscp clients work fine if
they use sftp. I usually disable SSHv1 in the sshd and ssh configuration
files as well. There were some recent security issues as noted on the
scponly home page, which I understand have been addressed, but for systems
which only allowed the sftp protocol these was no risk for that specific
vulnerability. <http://www.securityfocus.com/archive/1/383046>
Here's the options I used on last configuration,
--enable-chrooted-binary --disable-scp-compat --disable-winscp-compat
--disable-wildcards
There some redundancy with the --disable-wildcards, and you could also add
--disable-gftp-compat if you'd like.
Hope this helps.
-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
585-624-9551
http://rd1.net
More information about the scponly
mailing list