On Tue, Sep 05, 2006 at 12:04:07PM -0500, Mark Holden wrote: > I forgot to mention that we're using RHEL AS3 (currently at update 8) > and RHEL AS4 (currently at update 4). Does scponly support these > distributions?
rssh does. > >From a quick read of the scponly web page: > > - it seems to indiate that SFTP will work as well--is that actually the > case? Yes. It also does with rssh. > - it appears to require a chroot'd environment. I can't speak for scponly; but rssh does not require chroot, though it does support chroot. > - I assume this would be a patched to the openssh package? Or is it > simply installing the scponly shell on the system and pointing that user > id at that shell in /etc/passwd? With both scponly and rssh, it is the latter. > By the way, the pizzashack reference seems to indicate that there are > security risks, so that concerns me. Does "scponly" have security risks > as well? There are security issues with rssh, only if you do not follow the directions carefully. The biggest issue is that with older versions of OpenSSH, there is no way to prevent a user from creating their own environment file on the server, which allows them to run arbitrary commands when they connect via ssh, thus defeating rssh (and scponly). This is not a design flaw in rssh, but an unavoidable interaction with older versions of OpenSSH. There is a solution, which I have documented, but it's kind of a pain in the a$$. The second biggest reason is that in order to chroot(2), you need root privileges. If you are careful to set it up properly, there are no known problems. The trouble is, many sysadmins just want to get things up and running quickly, don't read the documentation, and don't realize they have misconfigured things in a way which can lead to a compromize. I say this is only second, because there are no known bugs or expliots for the current code, and after careful review of the code, I don't believe there ever will be any found again (he says nervously). ^^; The third biggest reason is that people really really wanted CVS support in rssh, so I gave it to them. But CVS supports "triggers", which can be used to run arbitrary programs, so rssh can be circumvented. However, that can be prevented if the sysadmin configures a chroot jail and disallows the execution of programs on the filesystem where the jail lives. This is a documented issue, as is the solution... I will say I wrote rssh in part because I thought Joe's approach to scponly was more complicated and hard to audit, making it potentially more risky and easier to miss bugs in the code which might allow a root compromize or circumvention. Both rssh and scponly do essentially the same thing; so both suffer equally from the issues above. However scponly allows the user to do more, so it may have additional issues which rssh does not. I designed rssh to be very restrictive from the beginning, in order to minimize the number of issues that needed to be considered to get the design right. The code for rssh is compact and simple, specifically to make problems easier to avoid in the first place, and to find when they do occur. At the time I wrote rssh, scponly had certain weaknesses which rssh was designed specifically to avoid. In truth though, both programs have had their share of security issues in the past, as a search on securityfocus will reveal. My suggestion to anyone trying to choose between the two is to get both, read the documentation for both, and if possible read the code; then make up your own mind. Obviously I think my program is better and safer, or I would not have written it. ;-) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpLSR2Eq0IHR.pgp
Description: PGP signature
