Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'but what about ssh, sftp and things like fb_realpath' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
but what about ssh, sftp and things like fb_realpath
Authored by: hamarkus on Aug 26, '03 03:10:00PM

I followed the same instructions some time ago (using the binary), and it worked as advertised. But one problem is that if remote login is enabled, every ftp user can ssh or sftp into your computer and will not be restricted to his home directory anymore.

Another question is what happens if Apple updates the ftp server via an OS or security update (remember the fb_realpath() function)?
Possiblity A:
nothing gets changed/fixed - good in that ftpchroot still works, bad in that you are vulnerable but thinking things were fixed
Possibilty B:
you are back to Apple's implementation - good in that security holes are fixed, bad in that ftpchroot does not work anymore, which you probably will not realise for quite some time
Possibilty C:
update breaks everything

If you would choose proftp, who is going to tell about fb_realpath() function like security holes in it?
And reading through the comments of the hint mentioned in the first comment, I am asking myself whether proftp really is such an easy thing to install.



[ Reply to This | # ]
but what about ssh, sftp and things like fb_realpath
Authored by: wyvern on Aug 26, '03 03:34:42PM

Edit your /etc/sshd_config and add a line at the end like so:

AllowUsers username_you_want_to_allow

(Or, if it's easier to deny... DenyUsers username_to_deny)



[ Reply to This | # ]
but what about ssh, sftp and things like fb_realpath
Authored by: tsaar on Aug 26, '03 03:51:42PM

Ah, that's right.
Maintaining these things is hard work.

BTW, there's ways to restrict ftp-users from logging in via SSH
(you either redirect their shells to /dev/null or you just drop a line in the config file sshd_config, something like
AllowUsers username
DenyUsers username
I personally gave up on it. I disabled ssh (cos I don't need it)
and I allow ftp from certain IP's only, which may not be enough, but I've decided it's enough for me.

There was this really cool script that i used that created ftp-only users (no login, either via SSH or to the machine itself, chroot jail, etc.) but it ceased to work after...an update.



[ Reply to This | # ]