Re: [gentoo-user] Re: which type of access to a webserver?
Björn Lindström wrote: Matthias F. Brandstetter [EMAIL PROTECTED] writes: I have a question to all of you: What do you think, which would be the best, ie. most secure access to a webserver, so that users can update their sites? To be more specific: I can't allow ssh login for most of this users for several reasons, that's why I set /bin/false as login shell for them. Ok, so no ssh, no ftp (sidenote: I hate [S]FTP[S] for several reasons, ee. firewall issues and so forth). Use ssh with a restricted shell. Restrict them to sftp only. Firewall issues? Fix the firewall. AFAIK restricted shell (bash -r) doesn't work anymore, use jail insted -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: which type of access to a webserver?
Matthias F. Brandstetter [EMAIL PROTECTED] writes: I have a question to all of you: What do you think, which would be the best, ie. most secure access to a webserver, so that users can update their sites? To be more specific: I can't allow ssh login for most of this users for several reasons, that's why I set /bin/false as login shell for them. Ok, so no ssh, no ftp (sidenote: I hate [S]FTP[S] for several reasons, ee. firewall issues and so forth). Use ssh with a restricted shell. Restrict them to sftp only. Firewall issues? Fix the firewall. -- Björn Lindström [EMAIL PROTECTED] http://bkhl.elektrubadur.se/ ICQ: 82945879 -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: which type of access to a webserver?
-- quoting Björn Lindström -- Use ssh with a restricted shell. Restrict them to sftp only. Firewall How can I restrict SFTP access to user's home dir? How can I disable normal SSH access, but enable SFTP? issues? Fix the firewall. Unfortunately, I have no admin rights on this firewall, it's not under my control. And I don't want to write 100 times to it's admin, that and how he shoud fix it... Greets, Matthias -- Boy, when Marge first told me she was going to the Police Academy, I thought it's be fun and exciting, like the movie `Spaceballs.' But instead, it's been painful and disturbing, like the movie `Police Academy.' -- Homer Simpson The Springfield Connection -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: which type of access to a webserver?
Matthias F. Brandstetter [EMAIL PROTECTED] writes: Ok, and how can I chroot SFTP only (ie. not SSH), and only for some users (ee. not root)? Give them ssh access, but a restricted login shell, in which they can only run sftp, and make a wrapper for sftp, that runs it chrooted. There's a bunch of restricted shells out there, there should be something that does what you want. -- Björn Lindström [EMAIL PROTECTED] http://bkhl.elektrubadur.se/ ICQ: 82945879 -- [EMAIL PROTECTED] mailing list
