PDA

View Full Version : sftp creating restricted shell for sftp only



105547111
29th May 2007, 01:48 AM
Hi All,

I read that a way to give users SFTP access without compromising security is to add this to /etc/shells

/usr/libexec/openssh/sftp-server

This way the sftp login can't be used to get shell access.

Anyone got advise?

Thanks!

jhetrick62
29th May 2007, 01:56 AM
As for regular ftp use, I just create a user with a shell of /bin/false and that solves all problems. They can ftp but they get no shell to log into if they attempt to telnet or ssh.

I don't know how it relates to sftp as I don't use that.

Jeff

105547111
29th May 2007, 02:08 AM
Hi Jeff,

Thanks for the reply. If you want to use SFTP, the user does require some valid shell login to authenticate them. I already tried /bin/false, they don't get to login as the user has no shell access :(

I want to block port 21 on the server, so everyone is forced to use SFTP. However I don't want to give out a shell access that could be exploited.

I do run plesk, and they provide a:
/usr/local/psa/bin/chrootsh

However I have read it still can be exploited.

Its a matter of having a very restricted shell access access. That is why I was asking about /usr/libexec/openssh/sftp-server, it seems its a very 'standard' on just about all linux distributions and its said to be very secure, but I like to hear what others have found or know.

Cheers,

David

jhetrick62
29th May 2007, 02:14 AM
David,

That makes sense that you have to have a valid shell or how would you be logged in on ssh in order to use sftp. Good luck on your feedback.

Jeff