cPanel Forums
07-04-2009, 12:05 AM
|
||||
|
||||
|
how to disable ssh and keep sftp working
Hello
when I disable the SSH Password Auth Tweak the sftp stop too. I want keep sftp working but the ssh stoped. The SSH must working only to Private Key. Thank you Konrath     
|
|
07-04-2009, 07:45 AM
|
|||
|
|||
|
I'm not sure whether it will satisfy your exact need.
SSH Password Auth Tweak is kept as enabled itself . I'm setting this for a particular user named "test" . Set the user's shell to: /usr/libexec/openssh/sftp-server ( give the correct path for sftp-server , wherever it is on the server) You can do this by opening /etc/passwd and change the shell field to /usr/libexec/openssh/sftp-server It may look like test:x:528:528::/home/test:/usr/libexec/openssh/sftp-server 2) Add /usr/libexec/openssh/sftp-server to /etc/shells This will allow sftp and disable shell access to user test But I haven't tried the SSH Private Key method .
|
|
07-04-2009, 11:45 AM
|
||||
|
||||
|
While SFTP does inteface the SSH server, the user logging in to SFTP
does not have to have shell access. Just don't give SSH access out! I don't recommend that you stop the SSH server just because it can cause you a great deal of other headaches but moving it to another port, using certificates, disabling direct root access, and using only protocol 2 are all good steps for protecting it. Beyond that, just don't give anyone shell access. Now in regard to SFTP, like I said the user doesn't have to have shell access enabled to be able to use it but then at the same time I have to be curious as to the underlying reason you are pushing for SFTP only. If you are under the impression that FTP is being hacked anywhere recently, you are delutional and misinformed. While there is a lot of chatter (and bad assumptions) going around the net regarding that lately, the truth is the exploit being used has absolutely nothing to do with FTP whatsoever. Recent hackers have been capturing packets and keylogging user's own home computers and then using the information collected to login to the user's own accounts at web hosting companies and banks which is incidentally why they usually get in on the first try without any brute force attempts. Bad news for those who think SFTP with certs might help, I've already seen this exploit used in the wild capturing encryption certificates and connecting by other "secure" means using a proxy off the user's own computer and certificates ripped from the user's own computer. Point in fact, if you are generally trying to increase security -- wouldn't hurt. If you are trying to protect from the recent exploit chatter - Then I laugh at you wholeheartedly because what you are doing is pointless. That said I am investigating solutions myself to try to help these users get protected and not get compromised in the first place.
__________________
My Server Expert: Cloud VPS servers w/Cpanel, Security Hardening, Management, and Monitoring!
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Enable sftp but lock down ssh. Possible? | gfisch | cPanel and WHM Discussions | 2 | 11-22-2006 08:38 PM |
| Disable SFTP | codegirl42 | cPanel and WHM Discussions | 5 | 03-16-2006 08:07 AM |
| How to have ftp,sftp or ssh via port 80 ? | Interdit | cPanel and WHM Discussions | 5 | 06-09-2005 11:55 AM |
| Server lost SSH and SFTP | madmac | cPanel and WHM Discussions | 1 | 04-19-2005 03:53 PM |
| SFTP/SSH really concerns me! Security! | mr.wonderful | cPanel and WHM Discussions | 5 | 06-14-2004 06:29 AM |
All times are GMT -5. The time now is 07:32 AM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc
