SFTP
 
Home Help Login Register
*
Welcome, Guest. Please login or register. January 10, 2009, 12:46:32 AM


Login with username, password and session length


Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: SFTP  (Read 1035 times)
0 Members and 1 Guest are viewing this topic.
John Peck
Global Moderator
Senior Member
*****
Posts: 46
« Reply #4 on: July 27, 2007, 04:43:24 PM »
Quote
...access for example to /tmp, what I require is that this user can not pass to another directory...

The solution is to use "Rsh" as the user's shell in /etc/passwd:
fred:!:123:456::/tmp:/usr/bin/Rsh

SFTP, like SSH, as for telnet etc, uses this shell, and Rsh cannot "cd".

If you can't then login, there are most likely problems with your /etc/profile and .profile syntax being invalid in Rsh terms.

Directory permissions work best downward, not very useful in stopping upward cd, indeed altering permissions from / down can stop anyone logging in by any means !  Make sure you're still logged in as root while you test some of these things, just in case you lock yourself out.

Note by the way, where as telnet and normal local login follow such things as AIX's ADMCHG flag in /etc/security/passwd, SSH doesn't.  I found that very handy the other day when I had locked myself out of a system by changing the password for another user, a user that can't change their own password (ADMIN flag) and yet was required to reach root with su as no direct root login is allowed.  SSH let me in regardless to change the offending user's password.  The underlying point being, all this fancy encryption is one thing, having big holes all round the edges is another.
Logged
Michael
Administrator
Hero Member
*****
Posts: 539
« Reply #3 on: July 26, 2007, 03:38:15 PM »
as far as i know both ftp and sftp allow a user to move about using regular permissions.

So basicalkly, you solution will be to setup very restrictive group permissions on your directories. John has more experience with the kind of policy that you need to define and setup.

What you will to focus on is the meaning of the permission bits for directory.

R means you can read the directory: sort of like looking thru a glassdoor with the loght on. You can see the objects.

W means you put new objects (files/directories) in the directory, and remove those you know the exact name of (assuming you have no R access).

X means access: in particular --x this means you can access the directory (or open the door) but there is no light. If you know the name of an object you can access it if the object permission bits allow it (i.e. --x gives you access to objects you know or can guess, you cannot list all objects). The X bit is also known as the SEARCH bit, as it permits the SEARCH of directories included in a PATH variable for a program to execute. Again, whether a program can actually be executed depends on it's permissions, not those of the directory.

It can be quite confusing initially. I suggest you make some directories and files and change the permissions.

Lastly: if you are the OWNER, only the owner bits are valid.
If you are not the owner, but are a GROUP member, only the group bits are valid
Otherwise the OTHER bits are valid.

Initially, try to not depend on the use of ACL's - unless this is for a single user only. ACL's are very complex to manage.
Logged
sergio56
New Member
*
Posts: 3
« Reply #2 on: July 26, 2007, 02:27:51 PM »
if that in + / - the error, is in a system AIX 5.2, when me logon with the user csergio in a graphic modalida has access for example to /tmp, what I require is that this user can not pass to another directory.   
   
Thank you for the support.
Logged
Michael
Administrator
Hero Member
*****
Posts: 539
« Reply #1 on: July 26, 2007, 10:33:08 AM »
Google Translation....

Very Good, because vereis I have a problem with SFTP and to see if they can help me… is the following thing: I have a servant to whom it is possible to be acceded by means of SFTP, the problem is that the user can see all the disc of the servant when this inside. As it could avoid this. With FTP this does not happen because the single user sees his directory outside home as if the root of the machine. Sure FTP then encripta password and is not worth to me. I have proven with chroot and I have not obtained that it works. Greetings and Thanks beforehand.

So What I am understanding here is that you are having a problem with the differences between FTP anonoymous accounts (which have a chroot performed automatically) and sftp which logs the user in a regular user.

So before continuing, I would like to be sure that I have understood your question, and if so, when using ftp (e.g. filezilla) does the user see only his own files, or can he/she access the regular root.

Are you using FTP from UNIX, AIX, Windows, Linux, or something else? same for SFTP.

regards,
Michael
Logged
sergio56
New Member
*
Posts: 3
« on: July 18, 2007, 10:16:42 PM »
Muy Buenas, pues vereis tengo un problema con SFTP y a ver si me pueden ayudar...
Se trata de lo siguiente:
Tengo un servidor al que se puede acceder mediante SFTP, el problema es que el
usuario puede ver todo el disco del servidor cuando esta dentro. ¿Como podría
evitar esto?. Con FTP no pasa esto pues el usuario solo ve su directorio home
como si fuera el raiz de la maquina. Pero claro FTP pues no encripta password y
no me vale. He probado con chroot y no he conseguido que funcione.

Saludos y Gracias de antemano.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 1.214 seconds with 18 queries.

FastPath

HowTo
New in AIX6
RBAC
Security
WPAR
Service Bulletins

InfoCenters

AIX 6.1
AIX 5.3
AIX 5.2
AIX 5.1
- - - - - - -
Fix Central
HMC Downloads
IBM Firmware/LIC
VIOS Support
- - - - - - -
Hardware Documents
PowerHA (HACMP)
Tivoli Manuals
- - - - - - -
IBM Training



eXTReMe Tracker
Terms of Use and Privacy and Security Policies
Copyright 2001-2008 Michael Felt and ROOTVG.NET