Enabling SSH only for ftp (not for telnet possible) ? - SSH

This is a discussion on Enabling SSH only for ftp (not for telnet possible) ? - SSH ; I want to offer encrypted ftp transfers to my server for some users. The user should be able to use (win)scp to transfer files to my server. However it is often said that granting SSH access is a security risk ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Enabling SSH only for ftp (not for telnet possible) ?

  1. Enabling SSH only for ftp (not for telnet possible) ?

    I want to offer encrypted ftp transfers to my server for some users.
    The user should be able to use (win)scp to transfer files to my server.

    However it is often said that granting SSH access is a security risk for telnet.

    Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?

    Do I need full SSH permissions to use scp?

    Peter


  2. Re: Enabling SSH only for ftp (not for telnet possible) ?

    On Sun, 10 Dec 2006 21:43:55 +0000, Peter Meister wrote:

    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter


    SSH is not Telnet, all communication is encrypted. However if what you are
    worried about are users logging into the system using SSH I'm not sure if
    there is any way to prevent this if you've given them ssh access.

    I have an ssh server for distributing code to my customers. What I did is
    the following,

    I dedicated an old machine (500 MHz PIII) to the task. I did a fairly
    minimal install of Fedora Core to it, basically enough to run ssh and no
    other servers.

    I create an account for each user and I have them send me their
    id_rsa.pub public key which I put in an authorized_keys file. I don't
    allow password access, the only way in is via RSA authentication.

    All of the users accounts have 700 access privileges so that no user can
    see anything that's in another user's account.

    The public key for my ssh server is not in the authorized keys files for
    any other machine on my LAN, that way you can't ssh from the server to
    another machine (I don't run any legacy services on my machines so ssh is
    the only way to log into them).

    I can ssh into my ssh server from my other machines so I can copy things
    to and from my account on the server so when I do a release I copy the
    release tar.gz files to my account on the ssh server. I then su to root
    and copy the files to the appropriate user accounts, I then do a chmod -R
    700 so that everything in /home is private.

    There is probably a better way to do this, but this works for me and I'm
    confident that it's secure.

  3. Re: Enabling SSH only for ftp (not for telnet possible) ?

    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter


    Umm. . . SSH is NOT Telnet, those are two very different things. SSH
    is SSH, and telnet is telnet.

    You need a better understanding of the SSH service.


  4. Re: Enabling SSH only for ftp (not for telnet possible) ?

    ["Followup-To:" header set to comp.os.linux.misc.]
    Peter Meister :
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.


    What does that mean?

    The goal has been to eliminate the usage of insecure applications
    (telnet, ftp, remote shell) which transmit passwords in cleartext.
    ssh, scp, sftp do that. Why button down ftp when you want to leave
    the telnet door open?

    > Do I need full SSH permissions to use scp?


    Where is this stuff that says giving ssh access is dangerous?


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
    Spammers! http://www.spots.ab.ca/~keeling/emails.html

  5. Re: Enabling SSH only for ftp (not for telnet possible) ?

    General Schvantzkoph writes:

    >On Sun, 10 Dec 2006 21:43:55 +0000, Peter Meister wrote:


    >> I want to offer encrypted ftp transfers to my server for some users.
    >> The user should be able to use (win)scp to transfer files to my server.
    >>
    >> However it is often said that granting SSH access is a security risk for telnet.
    >>
    >> Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    >> Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >>
    >> Do I need full SSH permissions to use scp?


    No idea what you are talking about. ssh and telnet have nothing to do with
    each other. ssh is a completely different protocol from telnet, and does
    nto use telnet in any way, and vice versa.


    >SSH is not Telnet, all communication is encrypted. However if what you are
    >worried about are users logging into the system using SSH I'm not sure if
    >there is any way to prevent this if you've given them ssh access.


    scp IS ssh. It is using ssh to copy a file from one system to the next.
    scp is NOT ftp. There is a thing called sftp which uses the ftp protocol
    with ssh.




    >I have an ssh server for distributing code to my customers. What I did is
    >the following,


    >I dedicated an old machine (500 MHz PIII) to the task. I did a fairly
    >minimal install of Fedora Core to it, basically enough to run ssh and no
    >other servers.


    >I create an account for each user and I have them send me their
    >id_rsa.pub public key which I put in an authorized_keys file. I don't
    >allow password access, the only way in is via RSA authentication.


    >All of the users accounts have 700 access privileges so that no user can
    >see anything that's in another user's account.


    >The public key for my ssh server is not in the authorized keys files for
    >any other machine on my LAN, that way you can't ssh from the server to
    >another machine (I don't run any legacy services on my machines so ssh is
    >the only way to log into them).


    >I can ssh into my ssh server from my other machines so I can copy things
    >to and from my account on the server so when I do a release I copy the
    >release tar.gz files to my account on the ssh server. I then su to root
    >and copy the files to the appropriate user accounts, I then do a chmod -R
    >700 so that everything in /home is private.


    >There is probably a better way to do this, but this works for me and I'm
    >confident that it's secure.


    Sounds fine.

  6. Re: Enabling SSH only for ftp (not for telnet possible) ?

    pmeister2@lycos.com (Peter Meister) (06-12-10 21:43:55):

    > However it is often said that granting SSH access is a security risk
    > for telnet.


    The opposite way. Using Telnet completely eliminates the security
    advantage gained from SSH.


    > Hmm, I am not sure. I thought I could grant SSH to a user for only his
    > ftp connections. Or does SSH mean: all or nothing: SSH for FTP AND
    > telnet or no SSH at all?


    You are free to use anything you want. However, using insecure
    clear-text protocols like Telnet will make the encryption worthless.


    > Do I need full SSH permissions to use scp?


    Yes.


    Regards,
    E.S.

  7. Re: Enabling SSH only for ftp (not for telnet possible) ?

    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.


    You mean SCP or SFTP? To quote wikipedia:

    "A common misconception is that SFTP is simply FTP run over SSH; in fact
    it is a new protocol designed from the ground up by the IETF SECSH
    working group."

    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?


    If you want to use scp than you're probably out of luck. OTOH, SFTP uses
    SSH only for authentication, so you can set the user to have /dev/null
    as login shell and they cannot login into machine at all. Well, this is
    all AFAIU, I haven't tried it myself yet.


    --
    Milan Babuskov
    http://njam.sourceforge.net
    http://swoes.blogspot.com

  8. Re: Enabling SSH only for ftp (not for telnet possible) ?

    Milan Babuskov wrote:
    > If you want to use scp than you're probably out of luck. OTOH, SFTP uses
    > SSH only for authentication, so you can set the user to have /dev/null
    > as login shell and they cannot login into machine at all. Well, this is
    > all AFAIU, I haven't tried it myself yet.


    That doesn't quite work, but what /does/ work is to set the sftp
    application as the login shell.

    You would probably want to have a chroot environment as well, but that's
    quite a bit harder. (Last time I looked, it required a patch to the source
    and a recompile/reinstall. It's a FAQ on the OpenSSH website, I think.)

    Chris

  9. Re: Enabling SSH only for ftp (not for telnet possible) ?

    On 2006-12-10, Peter Meister wrote:

    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk
    > for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?


    scp and sftp are simply different front-ends to ssh. scp gives ssh a cp
    (*nix "copy") work-alike interface, while sftp gives ssh an ftp-like
    interface. It is still just ssh behind the scenes doing the actual work
    of transferring the files. If ssh, scp, and sftp are invoked by
    different executables (as they are under Cygwin, for example), you could
    simply delete or modify the permissions on the ssh.exe executable to
    deny regular ssh access. WinSCP3 rolls all three functions into single
    executable, though.

    --

    John (john@os2.dhs.org)

  10. Re: Enabling SSH only for ftp (not for telnet possible) ?

    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.


    telnet is a particular program that allows a remote user to spawn an
    interactive shell. SSH is a suite of programs that allows a remote user
    to (among other things) spawn an interactive shell. Other than those
    similar purposes, the two programs are not related.

    Any time a remote user accesses a shell is a security risk for the
    systems administrator. For the most part, SSH limits the risk to the
    remote user, not to the systems administrator (ie, it keeps *his*
    privacy but doesn't for the most part address any of *your* security
    concerns other than if he is doing something like su'ing and using the
    root password).

    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?


    You don't have to grant any account on your system the right to have a
    shell; let alone remote accounts. One popular solution is to use a
    restricted shell like rssh; another good idea is to place the sftp
    server in a chroot'ed environment (particularly since you'll be allowing
    uploads).

    In short, you don't *need* to let users have access to a (meaningful)
    shell just to let them use scp, *but* you will have to do some
    configuration to make that happen since out of the box sshd's tend to
    assume you want an interactive shell.

    On a final note, unless there is something very sensitive about the
    information they are uploading, this is a solution in search of a
    problem. SSH doesn't add some kind of check against user maliciousness
    or error. All it does is prevent eavesdropping or alteration of the
    information transmitted. If your security concern is from the users
    themselves, SSH doesn't help at all and you need to look at system
    authorizations and permissions instead.

    Weldon

  11. Re: Enabling SSH only for ftp (not for telnet possible) ?

    You are thinking in the wrong context.....

    Just run a sftp server, and it will allow secure ftp connections useing
    ssl. you don't need to allow anyone telnet access, disable it
    altogether, or don't give people a shell to log in with.


    On Sun, 10 Dec 2006 21:43:55 +0000, Peter Meister wrote:

    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter



  12. Re: Enabling SSH only for ftp (not for telnet possible) ?


    Now that everyone has clearly stated the difference between ssh and telnet, I
    think the question could have been; is there a way to enable a secure way to
    transfer files (sftp or scp) without giving users a remote command-line shell,
    using the openssh package.

    Trying to set the users login shell to /bin/false or /dev/null doesn't work
    either, as the user is not allowed into scp. Maybe a script that interacts with
    the openssh system calls would do the trick.

    I think the openssh devs should address this in their next release. Maybe make
    the sshd_config file add two more directives like:
    DenyShell user1, user2, user3...
    DenyScp user4, user5, user6...
    To allow more fine grained access control. Would this be technically hard to
    program? It seems like every once in a while this feature request pops up.

    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter
    >


  13. Re: Enabling SSH only for ftp (not for telnet possible) ?

    >>>>> "David" == ~David~ writes:

    David> Now that everyone has clearly stated the difference between ssh
    David> and telnet, I think the question could have been; is there a
    David> way to enable a secure way to transfer files (sftp or scp)
    David> without giving users a remote command-line shell, using the
    David> openssh package.

    David> Trying to set the users login shell to /bin/false or /dev/null
    David> doesn't work either, as the user is not allowed into scp.
    David> Maybe a script that interacts with the openssh system calls
    David> would do the trick.

    David> I think the openssh devs should address this in their next
    David> release. Maybe make the sshd_config file add two more
    David> directives like: DenyShell user1, user2, user3... DenyScp
    David> user4, user5, user6... To allow more fine grained access
    David> control. Would this be technically hard to program? It seems
    David> like every once in a while this feature request pops up.

    It would be easy: all you want to do is allow subsystem requests, but not
    shell or exec requests (this would allow sftp but not scp, which operates
    over an exec channel and hence is more problematic). Some SSH products
    already allow this kind of control, such as VanDyke's SSH server. And I
    seem to recall reading somewhere recently that it is on the roadmap for
    OpenSSH.

    David> Peter Meister wrote:
    >> I want to offer encrypted ftp transfers to my server for some
    >> users. The user should be able to use (win)scp to transfer files
    >> to my server.
    >>
    >> However it is often said that granting SSH access is a security
    >> risk for telnet.
    >>
    >> Hmm, I am not sure. I thought I could grant SSH to a user for only
    >> his ftp connections. Or does SSH mean: all or nothing: SSH for FTP
    >> AND telnet or no SSH at all?
    >>
    >> Do I need full SSH permissions to use scp?
    >>
    >> Peter
    >>


    --
    Richard Silverman
    res@qoxp.net


  14. Re: Enabling SSH only for ftp (not for telnet possible) ?

    In article ~David~
    writes:
    >
    >Now that everyone has clearly stated the difference between ssh and telnet, I
    >think the question could have been; is there a way to enable a secure way to
    >transfer files (sftp or scp) without giving users a remote command-line shell,
    >using the openssh package.
    >
    >Trying to set the users login shell to /bin/false or /dev/null doesn't work
    >either, as the user is not allowed into scp. Maybe a script that interacts with
    >the openssh system calls would do the trick.


    What is needed is just a shell that allows execution of the scp command
    and nothing else - the local scp invokes scp at the remote end, and it
    is done via the user's login shell. Of course such a shell already
    exists, and has been discussed here several times in the past - the
    unsurprising name is 'scponly'.

    --Per Hedeland
    per@hedeland.org

  15. Re: Enabling SSH only for ftp (not for telnet possible) ?

    ~David~ wrote:

    > Trying to set the users login shell to /bin/false or /dev/null doesn't work
    > either, as the user is not allowed into scp. Maybe a script that interacts with
    > the openssh system calls would do the trick.


    How about just adding code to /etc/profile that logs out those users
    immediately? They'll never even get to their own .profile but I think it
    will still allow scp and sftp.

  16. Re: Enabling SSH only for ftp (not for telnet possible) ?

    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.
    >
    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter
    >


    Hello,

    take a look to "http://olivier.sessink.nl/jailkit". It works great. You
    can define the chrooting, the allowed commands and paths for a user or a
    group of users.

    Denis.

  17. Re: Enabling SSH only for ftp (not for telnet possible) ?


    Peter Meister wrote:
    > I want to offer encrypted ftp transfers to my server for some users.
    > The user should be able to use (win)scp to transfer files to my server.
    >
    > However it is often said that granting SSH access is a security risk for telnet.


    SSH is a vastly superior rsh/telnet replacement. Treat it as such.

    > Hmm, I am not sure. I thought I could grant SSH to a user for only his ftp connections.
    > Or does SSH mean: all or nothing: SSH for FTP AND telnet or no SSH at all?
    >
    > Do I need full SSH permissions to use scp?
    >
    > Peter


    Just about. There have been various techniques to limit the risk, such
    as adding arguments to the authorized_keys file entries. I've gotten
    very fond of WebDAV over HTTPS, to provide controllable and managable
    privileges for user uploads and downloads.


+ Reply to Thread