If you have root jailed users by configuring the ftpaccess file, but have ssh installed, all they have to do is sftp in and go wherever they want. It's a relief to know that at least they can't grab the shadow file too. I just found a quck way to disable this however, in the /etc/ssh/sshd_config comment out the line: Subsystem sftp /usr/libexec/openssh.... On Tue, 26 Nov 2002, Randy Kelsoe wrote: > Ed Wilts wrote: > > >In many cases, ftp is *more* secure than sftp. With ftp, you have a lot > >of control over who can do what through the ftpaccess file (in wu-ftpd). > >With sftp, it's a free-for-all. > > > >In very practical terms, the odds of anybody being able to sniff > >passwords these days is very slim. The odds of somebody grabbing your > >passwd file if they've got sftp access to your system are much larger. > > > Maybe we could discuss this off-list. I don't see how sftp is a > 'free-for-all', unless it is configured to bypass the user login and > password. > Default RedHat installation requires a username and a password for sftp > connections. A normal user could grab my passwd file, but not the shadow > passwd file, so I don't see how that would do them much good. > > I am not a security expert, nor a cracker/hacker. I would like to learn > more, so if you have some time, please email me privately and elaborate. > > rk > > > > > > > > > > > -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
