How to disable the sftp service ?
Gingko
Please could someone tell me what is the proper way for completely disabling
the sftp service inside SSH (from a regular Debian 5 lenny packet
installation) ?
I tried to comment out the line "Subsystem sftp
/usr/lib/openssh/sftp-server" inside the "/etc/ssh/sshd_config" file (and of
course restart ssh) but even like this I still can connect using sftp.
So the only way that I found so far is by wildly renaming the
"/usr/lib/openssh/sftp-server" server file. I suppose this is not a very
good thing.
Thanks for any advice.
Gingko
Nico Kadel-Garcia
You might try setting it to "/dev/null" in sshd_config.. Take a look
at the manual page to understand what sshd_config says about this:
commenting it out basically switches the sftp function to an
"internal" component, not the external helper utility.
But if you've got SSH going, you can't easilyer turn off SCP. So I
really don't see what you're gaining by turning off SFTP.
Gingko
> e90dc73f-04bf-489c...@p1g2000yqm.googlegroups.com...> c> Hello,
I want to turn off SFTP because I already have a VSFTPD configuration, and I
just realized that having SFTP running in parallel is a way for my users to
bypass the chroot jails that I set up in VSFTPD, allowing them to browse the
whole filesystem of my server.
The just need to set an option in, for example, Firefox + FireFTP for that.
So this is a security concern.
Gingko
Simon Tatham
> I want to turn off SFTP because I already have a VSFTPD configuration, and I
> just realized that having SFTP running in parallel is a way for my users to
> bypass the chroot jails that I set up in VSFTPD, allowing them to browse the
> whole filesystem of my server.
Do those same users have ordinary SSH login accounts on the server?
If so, then surely they can access files outside the chroot jail by
logging in normally and running shell commands, even if you turn off
SFTP.
If not, how were they getting at OpenSSH's built-in SFTP service in
the first place?
--
Simon Tatham "What a caterpillar calls the end of the
<ana...@pobox.com> world, a human calls a butterfly."
Gilles
Kadel-Garcia
>On Nov 19, 12:58 am, "Gingko" <nos...@temporaryrelay004.ath.cx> wrote:
>> Hello,
>>
>> Please could someone tell me what is the proper way for completely disabling
>> the sftp service inside SSH (from a regular Debian 5 lenny packet
>> installation) ?
>>
>> I tried to comment out the line "Subsystem sftp
>> /usr/lib/openssh/sftp-server" inside the "/etc/ssh/sshd_config" file (and of
>> course restart ssh) but even like this I still can connect using sftp.
Probably the default value of "Subsystem sftp" *is* /usr/lib/openssh/sftp-server
so commenting it out is a noop
Why not simply replacing line:
"Subsystem sftp /usr/lib/openssh/sftp-server"
by something like:
"Subsystem sftp /bin/false"
in sshd_config file ?
--
Gilles
Nico Kadel-Garcia
> > "Nico Kadel-Garcia" <nka...@gmail.com> a crit dans le message de news:
> > e90dc73f-04bf-489c-aeb8-772397550...@p1g2000yqm.googlegroups.com...
>
> - Show quoted text -
They will still have SCP access. The only way to turn that off is to
block SSH access for them altogether. This is actually a completely
reasonable thing to do: restrict SSH access to a few designated
accounts and IP addresses for any fileserver that will need to use
local or network passwords for a lot of untrusted FTP clients.
And *seriously* consider throwing out FTP, for security reasons. If
they're using nomal account passwords, that is sniffable similar to
telnet and rsh. Switch to WebDAV over HTTPS, or an FTPS server, if you
want to protect those users.
Nico Kadel-Garcia
> Ref: <e90dc73f-04bf-489c-aeb8-772397550...@p1g2000yqm.googlegroups.com> de Nico
> Kadel-Garcia
>
> >On Nov 19, 12:58 am, "Gingko" <nos...@temporaryrelay004.ath.cx> wrote:
> >> Hello,
>
> >> Please could someone tell me what is the proper way for completely disabling
> >> the sftp service inside SSH (from a regular Debian 5 lenny packet
> >> installation) ?
>
> >> I tried to comment out the line "Subsystem sftp
> >> /usr/lib/openssh/sftp-server" inside the "/etc/ssh/sshd_config" file (and of
> >> course restart ssh) but even like this I still can connect using sftp.
>
> Probably the default value of "Subsystem sftp" *is* /usr/lib/openssh/sftp-server
> so commenting it out is a noop
Read the man page for sshd_config. It's enlightening: commenting out
that line leaves sftp to run with an internal utility, rather than the
helper program.
There are various OpenSSH configurations that really do *not* do what
you'd expect from their name. This is one of them.
> Why not simply replacing line:
> "Subsystem sftp /usr/lib/openssh/sftp-server"
> by something like:
> "Subsystem sftp /bin/false"
> in sshd_config file ?
That might work. I suggested /dev/null as a place that can accept all
the input in the world and ignore it....
Gingko
> cab509c9-2886-4f0f...@l32g2000yqc.googlegroups.com...
> >
> > I want to turn off SFTP because I already have a VSFTPD configuration,
> > and I
> > just realized that having SFTP running in parallel is a way for my users
> > to
> > bypass the chroot jails that I set up in VSFTPD, allowing them to browse
> > the
> > whole filesystem of my server.
> >
> > The just need to set an option in, for example, Firefox + FireFTP for
> > that.
> >
> > So this is a security concern.
> >
> > Gingko
>
> block SSH access for them altogether. This is actually a completely
> reasonable thing to do: restrict SSH access to a few designated
> accounts and IP addresses for any fileserver that will need to use
> local or network passwords for a lot of untrusted FTP clients.
You are right. This is a small server that I use almost only for myself, but
I recently had to give access to a few other users.
I put restrictions on SSH, and finally reenabled SFTP.
It is strange anyway that there is no dedicated way for disabling SFTP, I
suppose this is not the only reason for which some people may want to
disable it.
(and what about disabling other SSH protocols?)
> And *seriously* consider throwing out FTP, for security reasons. If
> they're using nomal account passwords, that is sniffable similar to
> telnet and rsh. Switch to WebDAV over HTTPS, or an FTPS server, if you
> want to protect those users.
Maybe.
But I'm afraid that using WebDAV is probably not very well known among
average not professional web site creators, meaning that I would have to
spend time in explaining it to each of them.
Do you know many ISPs disabling FTP in favor of WebDAV for the personal web
page creation of their common users ?
Gingko
Nico Kadel-Garcia
> > "Nico Kadel-Garcia" <nka...@gmail.com> a écrit dans le message de news:
>
> - Show quoted text -
I don't have a number. I know I've done at several sites in the last 5
years, and all of them have been surprised at how easy it is, and how
well supported by tools they already had available (such as lftp and
curl for Linux and UNIX, and Network Neighborhood for Windows).