Results 1 to 6 of 6
-
03-27-2003, 09:57 PM #1Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Fairfax, CA
- Posts
- 52
Which is worse -- Client shell access, or Client FTP?
I seem to have come to an awkward spot. I would rather not give shell access to all clients. And I would rather have clients only upload files using secure means.
Yet it appears that -- at least on my windows machine -- if I try to use the secure methods WinSCP or SSH, they will only connect if I've granted the account shell access.
This seems like a forced choice between poor security to the left, or poor security to the right.
My office machines are still Win95, so cannot test the WS_FTP in this regard. Current versions can do SSH, but will not run on Win95.
Does anybody know a way to transfer files securely, to an account which does not have shell access?
If not, and I must choose one of these two evils, which path is the lesser evil?-- Arthur Cronos from Voltos
=============================================================
The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
=============================================================
-
03-28-2003, 01:58 AM #2Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
Use rsync, or make ssh sessions chrooted.
Miha.Powered by AMD & FreeBSD.
"Documentation is like sex:
when it is good, it is very, very good;
and when it is bad, it is better than nothing."
-
03-28-2003, 02:04 AM #3Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Fairfax, CA
- Posts
- 52
Hmmm ...
Hi, miha,
I have used rsync regularly, but then my accounts have shell access, and ssh works fine with that.
I don't know what 'make ssh sessions chrooted' means.
And what I need to discover is what to tell my *customers*, who will largely be using windows and mac boxes, to use.
If rsync runs on windows, I'm not aware of that.
Are there any of these things that you could advise me on?-- Arthur Cronos from Voltos
=============================================================
The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
=============================================================
-
03-28-2003, 02:58 AM #4Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Google for scponly.
Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
03-28-2003, 12:24 PM #5Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Fairfax, CA
- Posts
- 52
scponly rules? Looks like it!
Hi, cperciva,
Wow, thanks for the pointer to scponly. I have yet to test it, but it looks like an elegant approach --
The client can manage his account using the cpanel software, and manage whatever settings he needs. (And only installaing things I've allowed there.) This cpanel access can be via https, so that's secure enough.
The client can then have a pseudo-shell limited only to scp uploads/downloads, and ls to see what's there.
Perfect! I'm going to test it out.-- Arthur Cronos from Voltos
=============================================================
The Bloggard, Un Hombre Blogisto -- http://www.bloggard.com
Your loch ness monster, your yeti, your bigfoot. Bah! I've seen worse.
=============================================================
-
03-28-2003, 01:01 PM #6Junior Guru
- Join Date
- Dec 2002
- Location
- London
- Posts
- 179
chroot means changing the "root" i.e. / of the filesystem for a user id . FTP servers do it all the time
e.g you have a user called tester who's homedirectory is in /home/tester
you can "chroot" so that /home/tester appears to be "/" for that user i.e. cannot get access outside their home directory to mess other things up.
google for chroot and you'll see what I mean
good luck
hololi