Strange interaction of sftp and protocol version 1
Damien Miller
djm at mindrot.org
Mon May 21 22:27:36 EST 2001
On Mon, 21 May 2001, Gordon Rowell wrote:
> Are both of the following statements meant to be true?
> - Subsystems must be defined for the server to support them
> - Protocol version 1 does not support subystems
yes.
> For Linux, I need the following to enable sftp:
>
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> However, if I comment out/remove this line and restart sshd, I can still
> start sftp when using Protocol version 1.
>
> [gordonr at icedvovo]$ sftp timtam
> Connecting to timtam...
> Password:
> Request for subsystem 'sftp' failed on channel 0
> Connection closed
>
> This is fine - no DSA key, so fallback to password, then fail as sftp is
> not enabled.
>
> [gordonr at icedvovo]$ sftp -1 timtam
> Connecting to timtam...
> Enter passphrase for RSA key 'gordonr at xxxxx':
> sftp>
>
> OK, we have an RSA key, which works and then sftp starts and works.
>
> Is this the correct behaviour?
Yes, in this case the sftp client will try to activate sftp by doing a
"ssh remotehost /path/to/sftp". This is less robust than a subsystem.
If your goal is to prevent sftp access, then delete or rename the
sftp binary. Recognise though that allowing ssh access is going to
implicitly allow file transfer in almost all cases anyway.
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list