[scponly] scponly with internal-sftp
Whit Blauvelt
whit at transpect.com
Wed Jun 17 09:31:41 EDT 2009
On Tue, Jun 16, 2009 at 08:43:32PM -0700, Kaleb Pederson wrote:
> > As for steps, instead of adding the user to the group, it's creating the
> > etc/passwd within their directory, so that's about an even amount of
> > work.
>
> I'm not sure I understand. Are you placing it within the users home
> directory or within the chroot?
Yeah, scponlyc when used with OpenSSH's internal-sftp to do a chroot
requires _only_ the existence of etc/passwd within the chroot directory
assigned the user - none of the other directories or files.
> > Whether this is more or less secure than the pure OpenSSH way of doing an
> > sftp chroot I just plain don't know. Is it like a belt and suspenders - more
> > protection - or is it just having two potential sets of vulnerabilities?
>
> If you can get away with just SSH, then I consider it an extra chance
> for vulnerabilities and breakage. I always recommend to get away with
> the least amount of permissions and layers possible.
You're probably right. Between "more layers of protection" and "more
potential layers of vulnerability" the second could well be the stronger
concern here.
One other small advantage of the combination though: If a normal ssh
connection is attempted, the combined approach drops it properly. The
OpenSSH-only approach currently hangs after the password. Promptly dropping
it seems the more secure action.
Whit
More information about the scponly
mailing list