Re: chrooted SFTP and FTP with writable root?
Hi Stephen,
Steven.Post@intris.be wrote:
(Please CC me, I'm not subscribed)
;-)
Does anyone have something similar where both sftp and ftp access is
enabled to a chroot, and writable, not just subdirectories?
Why allow ftp when sftp is available?
I use scponlyc setup with the passwd file having a home path like as
follows:
/home/chroot-username//own-writeable-directory
This places sftp [and WinSCP for that matter] into the directory that is
owned by the user by default, they can traverse up, but their "real"
home directory must not be writable for the reasons you know.
To make it stronger, you can require the login to use a key file rather
than a normal password -- the key file should have a good pass phrase
set up by the user (or you if you don't trust them to make it secure
enough).
Personally, I don't allow password logins in this situation as a rule
and I also add the user to the ssh group and require them to belong in
the group to get access at all. Furthermore, I limit access with
/etc/hosts.deny and /etc/hosts.allow to restrict which machines are
allowed in (knowing the static IP [required] of the end user).
--
Kind Regards
AndrewM
Andrew McGlashan
Broadband Solutions now including VoIP
Reply to: