Hi Rob,

You set up what's called a 'chroot jail'. With a chroot jail, the SSH server can treat /ftp/custx as if it's the "start" of the file system for "custx". So when "custx" logs on, he sees only the "fromus" and "tous" directories, and as far as he's concerned, nothing else on the system exists.

Exit programs have a chance of having "holes" in them (bugs in the code that can be exploited to bypass security.) A chroot jail is far less likely to have a bug like that. (But, on the other hand, it's also less flexible, because you can't write code to do whatever you want with it.)

-SK



On 4/23/2012 6:48 AM, rob@xxxxxxxxx wrote:
The security concerns I have are documented here:
http://archive.midrange.com/security400/200609/msg00048.html

For example, you allow cust X to download from /ftp/custx/fromus and
upload to /ftp/custx/tous. With regular ftp and the proper exit point I
can easily do this. How does one do this restriction with sftp? Does one
have to secure every single object to *public *exclude including all of
/qsys.lib? I suspect that may cause issues.

Or am I missing what can be done by digging further into
<snip>
The default configuration also does not have any AllowUsers, AllowGroups,
DenyUsers or DenyGroups.
In fact, it does not even contain traces for these directives, leaving the
clueless iSeries admin to search unix man pages for information about ssh
security.
</snip>


Rob Berendt


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.