Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: openssh: Enabling sftp, but disabling ssh?

from [Benjamin Donnachie] Network Security [Permanent Link]
Subject: Re: openssh: Enabling sftp, but disabling ssh?
Date: Wed, 06 Sep 2006 00:19:32 +0100 
Mark Holden wrote:

I forgot to mention that we're using RHEL AS3 (currently at update 8)
and RHEL AS4 (currently at update 4). Does scponly support these
distributions? 


It should do - I've used it on a number of "Redhat-like" distros.


From a quick read of the scponly web page:
- it seems to indiate that SFTP will work as well--is that actually the
case?


Yes - I've got scp and sftp working here.


- it appears to require a chroot'd environment. 


Only if you want to stop users browsing through your file system.  If
you're happy to rely upon file permissions, you won't need to run it in
a chroot.


If this is the case,
then I assume that the target dropbox will have to be in that users's
chroot'd environment. If so, then I assume it would make sense to
replace the global dropbox that the rest of the system/users use to be a
symbolic link to the dropbox in that user's chroot'd environment (so
they don't have to see the gory details of chroot'd environments).


I would avoid symlinking from outside the chroot as it could provide a
security vulnerability.  On my system all the user areas are under the
chroot so, in theory, they can all see each others area but permissions
stop them getting very far.

You could move your global dropbox to under the chroot setup, but only
apply the chroot to scponly/rssh users.  Then perhaps have a symlink
from the old location to the new.


- I assume this would be a patched to the openssh package? Or is it
simply installing the scponly shell on the system and pointing that user
id at that shell in /etc/passwd?


scponly installs as a shell; no patches, you just compile, install and
set the relevant user's shell in /etc/passwd to it.


I'm busied out with another deliverable at the moment, so will dig
deeper into what you mention below in the next coupld of days
(hopefully).


I'm on the lists for scponly and rssh too and the contributors are
usually very helpful.


By the way, the pizzashack reference seems to indicate that there are
security risks, so that concerns me. Does "scponly" have security risks
as well?


As I understand it - yes.  It's entirely possible that someone could
take advantage of a currently undiscovered exploit and break free from
the chroot.  But, by the same token, it is also possible that they might
take advantage of an exploit in your web- or email-server and do the same!

Take care,

Ben
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SSH key authentication - can only login as root, Tomasz Chmielewski
Next by Date:  Re: openssh: Enabling sftp, but disabling ssh?, Jan Metzger
Previous by Thread:  RE: openssh: Enabling sftp, but disabling ssh?, Mark Holden
Next by Thread:  Re: openssh: Enabling sftp, but disabling ssh?, Derek Martin
Indexes:  [Date] [Thread] [Top] [All Lists]