On Tue, Nov 09, 2004 at 04:13:11PM +1100, Michael Lake wrote: > Also one problem with scponly is that to use the chroot features you > have to make it suid and the authors warns of this.
Which is why I installed it in a separate ssh chroot; but I have the luxury of having full access and carte-blanche control over what I do to the box. FWIW, I've even done some hacking on it and I didn't see anything that raised my alarm bells, and with a known, generally trusted user base (like people you work with) I'd be happy to run it suid. If you trust your users enough that you'd give them shell access if they asked, but are limiting them to scp more to protect themselves, you'd probably be fine running it with it's internal chroot too. If you're giving out a key to anyone who asks, wrap up ssh in an extra chroot to be sure. As has been mentioned far too often in the last few days, security is not a one-fits-all solution. -i
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
