RE: logging file names with sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

> -----Original Message-----
> From: listbounce@xxxxxxxxxxxxxxxxx 
> [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Greg Wooledge
> Sent: Friday, September 04, 2009 12:13 PM
> To: secureshell@xxxxxxxxxxxxxxxxx
> Subject: Re: logging file names with sftp
> 
> On Thu, Sep 03, 2009 at 11:26:57AM -0500, Derek Martin wrote:
> > The logging of individual file transfers arguably buys you 
> very little
> > though, because the users are legitimate users who are 
> authenticated.
> > This is generally quite a different situation from FTP 
> installations,
> > where often the users are anonymous
> 
> If I understand correctly, many people run an sftp service which is
> essentially an encrypted, NAT-capable version of anonymous FTP.  They
> offer files (or file hosting space) to a large group of barely-trusted
> people, and want to limit or track abuse of the service.
> 
> The encryption may be used to prevent spying upon the traffic by
> people outside the group.
> 
> The ability of sftp to sit behind a NAT firewall (which FTP 
> cannot do --
> not with a straight NAT without special hacks) may be essential to
> many sites.
> 
When one of our technicians or engineers accesses one of our
embedded systems in the field, we have no reasonable expectation
of privacy.  All sensitive data on the system belongs to someone
else.  We need to be trusted, but also accountable.  We have gone
to great lengths to make it impractical for even an authorized
user to steal others' information.  Having logs that we cannot tamper
with is one more layer of security, mostly to help track who compromised
the system if they do find away around the other layers.  It is
also an industry requirement, and our products are audited by independent
firms to verify that we do in fact log accesses.

I have not yet enabled SFTP, but most likely will in the future, with
logging of all file accesses turned on.


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux