[scponly] scponly security issues with WinSCP compatability
John M. L.
john at recaffeinated.com
Mon Feb 14 01:48:12 EST 2005
Ralf,
Just to make sure I'm clear on the issue... The --disable-winscp-compat only
disables compatibility for WinSCP's SCP feature? That option would not
disable WinSCP from being used in SFTP mode.
John M Lauck
On 2/13/05 2:14 PM, "Ralf Durkee" <**@rd1.net> wrote:
> At 04:19 PM 2/12/2005, John M. Lauck wrote:
>> Thanks a lot Chad!
>>
>> I'll give it a try and post my results. I have one question though: Are
>> there specific security issues with leaving WinSCP compatibility enabled?
>>
>> John
>
> Security best practice is to enable only what's necessary, and enable the
> services with the least risk. My recommendation is disable everything
> except the sftp protocol. As already stated the winscp clients work fine if
> they use sftp. I usually disable SSHv1 in the sshd and ssh configuration
> files as well. There were some recent security issues as noted on the
> scponly home page, which I understand have been addressed, but for systems
> which only allowed the sftp protocol these was no risk for that specific
> vulnerability. <http://www.securityfocus.com/archive/1/383046>
>
> Here's the options I used on last configuration,
> --enable-chrooted-binary --disable-scp-compat --disable-winscp-compat
> --disable-wildcards
>
> There some redundancy with the --disable-wildcards, and you could also add
> --disable-gftp-compat if you'd like.
>
> Hope this helps.
>
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> Principal Consultant
> 585-624-9551
> http://rd1.net
>
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
More information about the scponly
mailing list