Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secureshell > 03 > 061177.html (Request Expert securityfocus.com Support)

sftp Newbie Questions!

From: Andrew McCall <it.andrew.mccall(at)oldham.gov.uk>
Date: Wed Jun 25 2003 - 06:22:01 EDT


Hi,

(This email *does* have SSH questions - I promise you! :) ) I have just posted my scenario as it helps to understand the questions I am asking at the bottom.

I am implementing a project to offer a free "drop-box" service for all the schools in our area, and these are the basic requirements.

Server Requirements

o The sftp should only be accessed by a single IP address (the server has multiple IP's, and SSH is already used for other things on other IP's)
o Upon login a message must be displayed giving a warning and some instructions on who to contact should they run into problems

User Requirements

o Each school can read and write files their own directory o Each school can write files into other's home directories, but they can't view or overwrite other schools files o A single administrator can read and write into all schools directories o The users should only by navigate /exports/sftp/ and should be
"jailed" to that directory.

o Schools only have sftp access, and no real shell.

I can do all this really easy with a normal ftp daemon such as ProFTPd or vsFTPd, however due to the nature of the files, they have to be transfered in an encrypted manner. I presumed (first mistake!) that sftp was just a normal ftpd tunneled through SSL and that it would be easy to set up.

Do you need help?X

Now after a few days of searching the net, and a few hours of reading O'REILLY's SSH : The Secure Shell, I realise that I am wrong :)

So here are my questions:

  1. How can I display a login message?

I was thinking about wrapping sftp-server into a script that echo's my message, then run sftp-server, but I don't know if this is possible or how secure this is.

2) How can I "jail" users to /exports/sftp?

I am not too sure if this is possible....

3) Am I correct in thinking that all my user-level security is done via normal file permissions?

4) Can I bind sftp-server to a single IP address, but still leave
"normal" SSH running on all other IP addresses? If its not is there
anyway of installing and run a second instance of OpenSSH that only allows sftp connections (I don't think there is due to the way that sftp works.)

I could either use the firewall to block ports/IP's (as I will be doing anyway) so this isn't that important....

Do you need more help?X

Thanks in advance for any help offered. 

-- 
Andrew McCall 
Oldham Metropolitan Borough Council



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.oldham.gov.uk
**********************************************************************
Received on Wed Jun 25 12:09:21 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:00 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library