scp and sftp

To: debian-security@lists.debian.org
Subject: scp and sftp
From: Jon McCain <jmccain@davlong.com>
Date: Sat, 30 Mar 2002 22:24:28 -0500
Message-id: <[🔎] 3CA6816C.A52691B1@davlong.com>

I've been playing around with the scp and sftp components of putty and
noticed what I consider a security hole.  Winscp does the same thing. 
The user can change to directories above their home.  Is there a way to
chroot them like you can in an ftp config file?  I don't see anything in
the sshd config files.  If you can't, how can I disable the scp
functionality?  I'm not talking about scp from the linux box.  The users
don't have shell access so that's not a problem.  I'm referring to
remote people using a scp client to access my linux machine.  You can
disable sftp ability by removing the sftp-server program but the scp
server part seems to be part of sshd.

I did not see anything about this issue on the openssh web site. 
Anybody got any suggestions?


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: scp and sftp
  - From: Junichi Uekawa <dancer@netfort.gr.jp>
- Re: scp and sftp
  - From: "Christian G. Warden" <cwarden@xerus.org>
- Re: scp and sftp
  - From: Mark Janssen <maniac@maniac.nl>
- Re: scp and sftp
  - From: Emmanuel Lacour <elacour@easter-eggs.com>
- Re: scp and sftp
  - From: "ambarish pathak" <ambarish@codito.com>

Prev by Date: Re: on potato's proftpd
Next by Date: Re: scp and sftp
Previous by thread: Re: on potato's proftpd
Next by thread: Re: scp and sftp
Index(es):
- Date
- Thread