non-login sftp user?
Ed Wilts
ewilts at ewilts.org
Tue Feb 24 10:01:35 UTC 2004
On Tue, Feb 24, 2004 at 08:12:02AM -0600, Mike Vanecek wrote:
> It is a shame, because it forces one to use ftp which is quite insecure.
In many cases, ftp is *more* secure that sftp. With most ftp servers,
you have an excellent ability to limit what the user can and can not do,
such as restricting which directories that they can upload to and which
they can download from.
Many people think that just because your credentials are encrypted,
you're safe. Well, give me access to a non-root account on a server
with sftp access and I'll DOS you by filling /tmp or /var/tmp. Perhaps
I'll steal world-readable code that you have a contractual obligation
with a vendor to protect. Without a strong chroot environment, sftp is
dangerous and gives people a false sense of security.
All that said, I would really, really like a fully-encrypted file
transfer protocol with the functionality and flexibility of wu-ftpd.
And, of course, it has to work through firewalls which ftp/tls doesn't do
well.
--
Ed Wilts, Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program
More information about the redhat-list
mailing list