RE: sftp vs ftp with ssl

[Glenn English <ghe () slsware com>]

On Fri, 2003-08-08 at 14:27, Skibi de LaPies wrote:

> OK, that's not a problem, but when they have shell (/bin/sh) they can
work
> remotely (that is not what I want) and when they do not have a
interactive
> shell (entry in /etc/passwd shows /bin/false) they cannot login either
to
> ssh or sftp.

No, they can't. To access a machine through ssh, there must be a valid
username, password, home directory, and shell. 

ssh is nothing more than a fancy telnet/rsh, and it has to be possible
for the user to operate the machine before the ssh daemon can complete
the connection. And sftp rides on ssh.

> Maybe I'm doing something wrong, because I use the default sftp
service
> which is in OpenSSH:
> (/etc/ssh/sshd_config)Subsystem       sftp
> /usr/libexec/openssh/sftp-server
> Maybe i should install a normal ftp server? (but the security case
then?)

A normal ftp server wouldn't work either, and for the same reason. The
ftp daemon logs you in (that works fine with no /bin/false as a shell),
and then starts a shell to run its fileserver - that's where things
fail.

> My ideal solution would be: leave /usr/bin/passwd as shell, access for
users
> to their ftp accounts through sftp (client may be putty psftp.exe or
> something).
>
> How to achieve it?

I could never be considered a *nix guru, but I don't think it can be
done using 'regular' components. What you need is either a special
program that acts enough like a shell to make ssh happy, or a file
serving daemon that doesn't use a shell.

In other words, I don't know.

-- 
Glenn English
ghe () slsware com


---------------------------------------------------------------------------
----------------------------------------------------------------------------