Security suggestion concering SSH and port forwarding.

Peter Stuge stuge-openssh-unix-dev at
Tue Jan 20 04:10:33 EST 2004

On Mon, Jan 19, 2004 at 12:50:14PM +0100, Krister Bergman wrote:
> Combining WinSCP with scponlyc (chroot:ed scponly) keeps these users in a
> quite safe environment while allowing more to trusted users.

Another option is to use rssh and sftp-server. sftp is much prefered over
scp, since scp just serves the purpose of being backwards compatible with
rcp syntax and behaviour.

> Seems like a possible solution, but I still think an
> "AllowedPortForwardingUsers" entry in the sshd_config wouldn't hurt.
> (and/or AllowedPortForwardingGroups)

Yes and no. More options are bad, but on the other hand, unless a
restricted shell can provide policy for stuff going on way back in sshd
(i.e. different forwardings) then we need a way to decide in sshd.

I agree that something more general than the current pubkey flag
approach would be desirable, although the current system works fine for
me at the moment.

> I just refuse to accept that ftp shoule be the only easy option for
> allowing non-technical people to download file from a server.

FTP isn't that easy. I'd say HTTP is easier, but then you have to deal
with lots of broken clients, or just one particular very popular, very
broken, client. (That also does FTP..)

sftp+rssh+WinSCP is a good combination, but rssh can't control the port


More information about the openssh-unix-dev mailing list