Actually, I just successfully ftpd as root and fetched /etc/shadow with sftp. > -----Original Message----- > From: Justin Zygmont [mailto:jzygmont@solarflow.dyndns.org] > Sent: Tue, November 26, 2002 7:26 PM > To: Randy Kelsoe > Cc: psyche-list@redhat.com > Subject: Re: Seeing who is logged in through ftp and ssh > > > If you have root jailed users by configuring the ftpaccess > file, but have > ssh installed, all they have to do is sftp in and go wherever > they want. > It's a relief to know that at least they can't grab the > shadow file too. > > I just found a quck way to disable this however, in the > /etc/ssh/sshd_config comment out the line: > Subsystem sftp /usr/libexec/openssh.... > > > On Tue, 26 Nov 2002, Randy Kelsoe wrote: > > > Ed Wilts wrote: > > > > >In many cases, ftp is *more* secure than sftp. With ftp, > you have a lot > > >of control over who can do what through the ftpaccess file > (in wu-ftpd). > > >With sftp, it's a free-for-all. > > > > > >In very practical terms, the odds of anybody being able to sniff > > >passwords these days is very slim. The odds of somebody > grabbing your > > >passwd file if they've got sftp access to your system are > much larger. > > > > > Maybe we could discuss this off-list. I don't see how sftp is a > > 'free-for-all', unless it is configured to bypass the user > login and > > password. > > Default RedHat installation requires a username and a > password for sftp > > connections. A normal user could grab my passwd file, but > not the shadow > > passwd file, so I don't see how that would do them much good. > > > > I am not a security expert, nor a cracker/hacker. I would > like to learn > > more, so if you have some time, please email me privately > and elaborate. > > > > rk > > > > > > > > > > > > > > > > > > > > > > > > -- > Psyche-list mailing list > Psyche-list@redhat.com > https://listman.redhat.com/mailman/listinfo/psyche-list > -- Psyche-list mailing list Psyche-list@redhat.com https://listman.redhat.com/mailman/listinfo/psyche-list
