Re: [SLUG] Re: Remote scp access
On Tue, 09 Nov 2004 16:13:11 +1100, Michael Lake [EMAIL PROTECTED] wrote: I had a look at rssh. Apparently it does not handle WinSCP. To get a GUI win client for rssh the above site suggests using FileZilla which I have downloaded and will try. Also one problem with scponly is that to use the chroot features you have to make it suid and the authors warns of this. Filezilla aint bad ftp client, although recently I found it didn't handle the downloading of a 4gb+ file. Not sure if they fixed it in next versions. I never had time to report it and follow it up. Basically downloading a fedora dvd iso I found that once the download was complete it would just stop and not remove the file from the queue. So you'd think it got stopped for other reasons and resume (at which time you'd then continue downloading the file via resume and make it appened to the finished file). If only it completed/removed the download from the queue section. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Remote scp access
Michael Fox wrote: Filezilla aint bad ftp client, although recently I found it didn't handle the downloading of a 4gb+ file. Not sure if they fixed it in next versions. I never had time to report it and follow it up. Basically downloading a fedora dvd iso I found that once the download was complete it would just stop and not remove the file from the queue. So you'd think it got stopped for other reasons and resume (at which time you'd then continue downloading the file via resume and make it appened to the finished file). If only it completed/removed the download from the queue section. yeah I downloaded it for windows and its looks OK. I see it can use sftp which I gather is ftp tunnelled via ssh. If I used fzilla I'm not really sure then what ftp server package I need at the server end. Is it a normal ftpd setup to go through ssh? One prob I also found with using scponly is that if a user does try a comand in the windows scp client which scponly 'disallows' then the windows scp client just hangs. Not the most useful response and confusing to a user. On Tue, 09 Nov 2004, Michael Lake [EMAIL PROTECTED] wrote: I had a look at rssh. Apparently it does not handle WinSCP. To get a GUI win client for rssh the above site suggests using FileZilla which I have downloaded and will try. Also one problem with scponly is that to use the chroot features you have to make it suid and the authors warns of this. -- Michael Lake Chemistry, Materials Forensic Science, UTS Ph: 9514 1725 Fx: 9514 1460 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Remote scp access
Ian Wienand wrote: On Tue, Nov 09, 2004 at 10:07:20AM +1100, Michael Lake wrote: 4. Other ways ? What's the easist way to allow the new user to use windows scp but not browse the filesystem. Reading up on chroot jails it seems that they are not trivial to setup. I deleted the previous parts of this thread but this question got me interested; it is not hard to do this with scponly. http://www.sublimation.org/scponly/ I run it inside a separate chroot, although it has its own options to chroot itself. It's not that hard to setup. If you setup a ssh chroot following some vague instructions like http://www.gelato.unsw.edu.au/IA64wiki/DebianSSHChroot Thanks, I just had a look at scponly and it seems like it's just what I need. Also looked at the summary for chroot jail on debian at gelato. I think the scponly is easiest and simplest and I'll test that out first. Mike -- Michael Lake Chemistry, Materials Forensic Science, UTS Ph: 9514 1725 Fx: 9514 1460 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Remote scp access
On Tue, Nov 09, 2004 at 11:11:08AM +1100, Michael Lake wrote: Thanks, I just had a look at scponly and it seems like it's just what I need. Also looked at the summary for chroot jail on debian at gelato. I think the scponly is easiest and simplest and I'll test that out first. Just for completeness you might look at http://rssh.sourceforge.net/ and while you're at it, perhaps log everything as well: http://sftplogging.sourceforge.net/ Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Remote scp access
[EMAIL PROTECTED] wrote: On Tue, Nov 09, 2004 at 11:11:08AM +1100, Michael Lake wrote: Thanks, I just had a look at scponly and it seems like it's just what I need. Also looked at the summary for chroot jail on debian at gelato. I think the scponly is easiest and simplest and I'll test that out first. Just for completeness you might look at http://rssh.sourceforge.net/ I had a look at rssh. Apparently it does not handle WinSCP. To get a GUI win client for rssh the above site suggests using FileZilla which I have downloaded and will try. Also one problem with scponly is that to use the chroot features you have to make it suid and the authors warns of this. Mike -- Michael Lake Chemistry, Materials Forensic Science, UTS Ph: 9514 1725 Fx: 9514 1460 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Remote scp access
On Tue, Nov 09, 2004 at 04:13:11PM +1100, Michael Lake wrote: Also one problem with scponly is that to use the chroot features you have to make it suid and the authors warns of this. Which is why I installed it in a separate ssh chroot; but I have the luxury of having full access and carte-blanche control over what I do to the box. FWIW, I've even done some hacking on it and I didn't see anything that raised my alarm bells, and with a known, generally trusted user base (like people you work with) I'd be happy to run it suid. If you trust your users enough that you'd give them shell access if they asked, but are limiting them to scp more to protect themselves, you'd probably be fine running it with it's internal chroot too. If you're giving out a key to anyone who asks, wrap up ssh in an extra chroot to be sure. As has been mentioned far too often in the last few days, security is not a one-fits-all solution. -i signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
