Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2003
    Location
    Fairfax, CA
    Posts
    52

    Which is worse -- Client shell access, or Client FTP?

    I seem to have come to an awkward spot. I would rather not give shell access to all clients. And I would rather have clients only upload files using secure means.

    Yet it appears that -- at least on my windows machine -- if I try to use the secure methods WinSCP or SSH, they will only connect if I've granted the account shell access.

    This seems like a forced choice between poor security to the left, or poor security to the right.

    My office machines are still Win95, so cannot test the WS_FTP in this regard. Current versions can do SSH, but will not run on Win95.

    Does anybody know a way to transfer files securely, to an account which does not have shell access?

    If not, and I must choose one of these two evils, which path is the lesser evil?
    -- Arthur Cronos from Voltos
    =============================================================
    The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
    Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
    =============================================================

  2. #2
    Use rsync, or make ssh sessions chrooted.

    Miha.
    Powered by AMD & FreeBSD.
    "Documentation is like sex:
    when it is good, it is very, very good;
    and when it is bad, it is better than nothing."

  3. #3
    Join Date
    Mar 2003
    Location
    Fairfax, CA
    Posts
    52

    Hmmm ...

    Hi, miha,

    I have used rsync regularly, but then my accounts have shell access, and ssh works fine with that.

    I don't know what 'make ssh sessions chrooted' means.

    And what I need to discover is what to tell my *customers*, who will largely be using windows and mac boxes, to use.

    If rsync runs on windows, I'm not aware of that.

    Are there any of these things that you could advise me on?
    -- Arthur Cronos from Voltos
    =============================================================
    The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
    Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
    =============================================================

  4. #4
    Google for scponly.
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  5. #5
    Join Date
    Mar 2003
    Location
    Fairfax, CA
    Posts
    52

    scponly rules? Looks like it!

    Hi, cperciva,

    Wow, thanks for the pointer to scponly. I have yet to test it, but it looks like an elegant approach --

    The client can manage his account using the cpanel software, and manage whatever settings he needs. (And only installaing things I've allowed there.) This cpanel access can be via https, so that's secure enough.

    The client can then have a pseudo-shell limited only to scp uploads/downloads, and ls to see what's there.

    Perfect! I'm going to test it out.
    -- Arthur Cronos from Voltos
    =============================================================
    The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
    Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
    =============================================================

  6. #6
    Join Date
    Dec 2002
    Location
    London
    Posts
    179
    chroot means changing the "root" i.e. / of the filesystem for a user id . FTP servers do it all the time


    e.g you have a user called tester who's homedirectory is in /home/tester

    you can "chroot" so that /home/tester appears to be "/" for that user i.e. cannot get access outside their home directory to mess other things up.

    google for chroot and you'll see what I mean

    good luck
    hololi

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •