On Thu, Mar 27, 2003 at 09:28:18PM -0800, Roy Lindauer wrote:okay. some questions with sftp etc...
2. Can i limit the users to certain directories? ie, /var/www/html/their.sytes.net?
Using a chroot you can do this. I've been using the jail tools which make it easy to set stuff up:
http://www.gsyc.inf.uc3m.es/~assman/jail/index.html
In the proftpd configuration file, there is an option to automatically 'chroot' the user by setting "DefaultRoot ~". From a usability perspective, the user will logon with their username/password:hostname with whatever client and see "/" as their only directory choice.
From the administrator's view, they just have to allow the user FTP access, and they will be set to go. No shell accounts to worry about ("/bin/false").
The jail scripts mentioned above seem to create a subset of the directory structure to truly 'chroot' the user into their own space, but when they log in, they will see "/home/username" as their current directory. If they hit the 'up' button, they may get lost or confused.
The administrator must create shell accounts, add the user to the jail, and somehow synchronize the password files if they change over time. Then, create a jail for each user? Share jail space between users? Who knows what the best answer is here.
--
Anyway, I would love to be able to leave FTP behind for good, and it is getting closer to that time with the excellent client tools available.
In the meantime, by using a well-written daemon (like proftpd), forcing passive mode to avoid bounce attacks, and not caring about data confidentiality (for public web material anyway), it seems like the main vulnerability is that a web page may be defaced (by intercepting a username/password in the clear, uploading malicious files).
--
Like Mark B., I think from a security standpoint, FTP must go. But don't forget the grandmothers out there.
References
http://www.sans.org/rr/malicious/FTP_hole.php (bounce attack) http://winscp.vse.cz/eng/ (WinSCP2) http://www.appgate.com/mindterm/ (Java SSH/SCP/SFTP client)
-- David Davis
_______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://www.rlug.org/mailman/listinfo/rlug
