RE: sftp vs ftp with ssl

["Skibi de LaPies" <lapies () poczta onet pl>]

-----Original Message-----
From: Glenn English [mailto:ghe () slsware com]
Sent: Friday, August 08, 2003 3:09 AM
To: security-basics () securityfocus com
Subject: RE: sftp vs ftp with ssl


On Thu, 2003-08-07 at 16:30, Skibi de LaPies wrote:

> I may very well be missing something here, but isn't anonymous sftp kind
> of an oxymoron?
- It sure is :-) But it's not that case, details follow:

> The users would have to log in - just like they do with ftp. They're
> logged in, but they don't get a shell.
OK, that's not a problem, but when they have shell (/bin/sh) they can work
remotely (that is not what I want) and when they do not have a interactive
shell (entry in /etc/passwd shows /bin/false) they cannot login either to
ssh or sftp.

Maybe I'm doing something wrong, because I use the default sftp service
which is in OpenSSH:
(/etc/ssh/sshd_config)Subsystem       sftp
/usr/libexec/openssh/sftp-server
Maybe i should install a normal ftp server? (but the security case then?)

My ideal solution would be: leave /usr/bin/passwd as shell, access for users
to their ftp accounts through sftp (client may be putty psftp.exe or
something).

How to achieve it?

bests
vermin




---------------------------------------------------------------------------
----------------------------------------------------------------------------