[FUGSPBR] RES: [FUGSPBR] limitando acesso aos diretórios com sftp
Marcello Silva Coutinho
marcelloc em trf1.gov.br
Qui Dez 5 18:08:44 BRST 2002
Pessoal,
Eu achei este este pacote no ports:
http://www.freebsd.org/cgi/url.cgi?ports/shells/scponly/pkg-descr
Ainda não testei, mas eu acho que resolve.
Este pacote alem de permitir chroot, ele impede comandos no sistema.
Ideal para banir uploads via ftp sem ter que liberar um shell para o
usuário.
att,
Marcello Silva Coutinho
features:
logging: scponly logs time, client IP, username, and the actual request to
syslog
chroot: scponly can chroot to the user's home directory, disallowing access
to the rest of the filesystem.
sftp compatibility. my testing of sftp against an acponly user worked great.
this is probably the cleanest and most usable way for an scponly user to
access files. (of course, sftp is not ssh1 compatible.)
WinSCP 2.0 compatibility
rsync compatibility as a compile time option
gFTP compatibility.
security checks
what it is:
"scponly" is an alternative 'shell' (of sorts) for system administrators who
would like to provide access to remote users to both read and write local
files without providing any remote execution priviledges. Functionally, it
is best described as a wrapper to the "tried and true" ssh suite of
applications.
A typical usage of scponly is in creating a semi-public account not unlike
the concept of anonymous login for ftp. This allows an administrator to
share files in the same way an anon ftp setup would, only employing all the
protection that ssh provides. This is especially significant if you consider
that ftp authentications traverse public networks in a plaintext format.
Instead of just a single anon user, scponly supports configuring potentially
many users, each of which could could be set up to provide access to
distinct directory trees. Aside from the installation details (see INSTALL),
each of these users would have their default shell in /etc/passwd set to
"/usr/local/sbin/scponly" (or wherever you choose to install it). This would
mean users with this shell can neither login interactively or execute
commands remotely. They can however, scp files in and out, governed by the
usual unix file permissions
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd