Re: Seeing who is logged in through ftp and ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Nov 26, 2002 at 02:04:13PM -0600, Randy Kelsoe wrote:
> Justin Zygmont wrote:
> 
> >If you have root jailed users by configuring the ftpaccess file, but have 
> >ssh installed, all they have to do is sftp in and go wherever they want.  
> >It's a relief to know that at least they can't grab the shadow file too. 
> >
> >I just found a quck way to disable this however, in the 
> >/etc/ssh/sshd_config comment out the line: 
> >Subsystem  sftp  /usr/libexec/openssh....
> >
> Ok, you've got me confused. I did not think the ftpaccess file had 
> anything to do with sftp.  My ftpaccess file is the default, and it does 
> not allow root ftp access. Yet, I can sftp to another machine as root.

The answer depends on which ftp server you run, but wu-ftpd typically
includes root in /etc/ftpusers - this is the list of users that are not
allowed to ftp in.

The default for sshd is to allow root users - this is defined in
/etc/ssh/sshd_config - see the PermitRootLogin parameter.
 
> Yes, a non-root user can go anywhere they want. But try this:
> 
> (as a non-root user):
> 
> sftp some_host_name
> sftp> cd /var/log
> sftp> get messages

This depends on the permissions on the messages file.  Linux, by
default, allows no world read.  Solaris, on the other hand, does.  When
I tried it on my Linux system I got a permission denied, which is
correct for the default configuration.

It's also interesting to note that by default, wu-ftpd will log the
security violation attempt but sftp won't.  You can make as many
attempts to hunt around and see what files you are allowed to transfer,
and in fact transfer everything, and the sysadmin will never know what
you've done.  wu-ftpd, on the other hand, logs every transfer and
transfer attempt.

Why people insist on stating that sftp is more secure than ftpd is
beyond me.  There's a heck of a lot more to security than just passing
along a password in clear text (which in the vast majority of
installations is not practically sniffable anyway).

        .../Ed
-- 
Ed Wilts, Mounds View, MN, USA
mailto:ewilts@ewilts.org
Member #1, Red Hat Community Ambassador Program



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
[Index of Archives]     [Fedora General Discussion]     [Red Hat General Discussion]     [Centos]     [Kernel]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux