Security suggestion concering SSH and port forwarding.

Krister Bergman bell at
Mon Jan 19 22:50:14 EST 2004

> But when dealing with
> those who know just enough about security to know FTP and Telnet are to
> be phased out, pubkey just isn't that good of an option.

It was when I found scponly and about the same time found WinSCP that I
realized it would be possible to make these kind of "point, click and
drag-n-drog."-users to use encrypted transfer without even realizing it.

Combining WinSCP with scponlyc (chroot:ed scponly) keeps these users in a
quite safe environment while allowing more to trusted users.

> scponly does sort of imply, um, scp only.  Perhaps supporting the pubkey
> permissions flags in sshd_config on a per-user basis might be feasible?

Seems like a possible solution, but I still think an
"AllowedPortForwardingUsers" entry in the sshd_config wouldn't hurt.
(and/or AllowedPortForwardingGroups)

After all this was just a suggestion. Think about it and if you think the
idea sucks, just forget it.

I just refuse to accept that ftp shoule be the only easy option for
allowing non-technical people to download file from a server.

Give them a full working ssh account is just not an option. Most of them
wouldn't know enough about ssh and/or Unix to do any harm but on the other
hand their machines can be hacked by poeple who do. Which means keeping
this accounts locked down to a chroot:ed sandbox feels like a good idea.

Best Regards


More information about the openssh-unix-dev mailing list