Re: scp and sftp
On Sun, 2002-03-31 at 05:24, Jon McCain wrote:
> I've been playing around with the scp and sftp components of putty and
> noticed what I consider a security hole. Winscp does the same thing.
> The user can change to directories above their home. Is there a way to
> chroot them like you can in an ftp config file? I don't see anything in
> the sshd config files. If you can't, how can I disable the scp
> functionality? I'm not talking about scp from the linux box. The users
> don't have shell access so that's not a problem. I'm referring to
> remote people using a scp client to access my linux machine. You can
> disable sftp ability by removing the sftp-server program but the scp
> server part seems to be part of sshd.
There is a chroot patch for SSH. You can find it in the Bug tracking
system (I added it there a few weeks ago).
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes
If you apply that patch to your SSHd and modify the /etc/passwd file by
using the special token '/./' in the user's homedir he will be chrooted
at the token.
Example:
joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash
Now joeuser will be chrooted to /home/joe
This works for SSH and SCP / SFTP etc of course.
Mark Janssen
>
> I did not see anything about this issue on the openssh web site.
> Anybody got any suggestions?
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: