Maybe it's time to get rid of tcpwrappers/tcpd?
Reindl Harald
h.reindl at thelounge.net
Mon Mar 24 12:23:30 UTC 2014
Am 24.03.2014 13:21, schrieb Florian Weimer:
> On 03/24/2014 01:06 PM, Reindl Harald wrote:
>
>> Am 24.03.2014 12:57, schrieb Nicolas Mailhot:
>>> Le Sam 22 mars 2014 01:20, Miloslav Trmač a écrit :
>>>
>>>> The RHEL documentation, apart from fully describing the abilities,
>>>> specifically describes two uses: a ftpd banner
>>>
>>> Surprisingly, ftp is still widely used entreprise-side, because ssh is
>>> giving too much access
>>
>> no, it is easy to restrict ssh to ONLY sftp and chroot and with
>> simple bind-mounts you can completly replace ftp, doing that here
>> in production over years with 3 simple scripts
>
> It's still very difficult to securely process uploaded files under a different user account. Some SFTP clients set
> restrictive permissions on upload, and the OpenSSH implementation does not allow to bypass that.
man umask
[root at rh:/downloads]$ cat /etc/ssh/sshd_config | grep internal-sftp
Subsystem sftp internal-sftp -u 006
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140324/cbebe202/attachment.sig>
More information about the devel
mailing list