![]() Anyone with control over any of the routersĪlong the path from client to server can read the entire session, Your username and password are transmitted in the clear from the FTPĬlient to the FTP server. As such, it has no provisions for securityĪgainst password sniffing, man in the middle attacks, and so on. What's Your Password? xyzzy? Great!:Īs stated earlier, FTP predates the age when Internet activity wasĮxpected to be malicious. (S)FTP securityĮven more important than this out of the box support without additional security/firewall settings is that SFTP is secure, while FTP is exactly the opposite, see e.g. since you already have access via your SSH keys you can use these as well for SFTP with your favorite (S)FTP client. Rather, you should use the SSH File Transfer Protocol (SFTP), which usually works just fine on EC2 instances out of the box without requiring additional security settings outside of SSH access in place anyway, i.e. Vsftp/proftp etc also support chroot configurations, but in this modern day ssh based configurations are the normal way, and support for ftp is historical only.You actually shouldn't use FTP to access Amazon EC2 instances at all (or any other server for that matter, but that's a different issue, see the slightly exaggerated, but nonetheless appropriate rant FTP Must Die). Never give up your private key, thats why its called private -) (or alternatively, have them send your their public key and add it to the authorized_keys file for adeveloper) ![]() You should create an additional keypair for the adeveloper users, and send that to your consultant. Usermod -d /var/www/html/website_abc adeveloper (not tested, see man sshd_config to confirm syntax)Īnd then add those users to the sftp group groupadd sftp This stuff requires openssh-server later than 4.8?, so probably requires CentOS 6.2 Match Group sftp You can set a chroot directory for your user to confine them to the subdirectory /var/www/html/website_abc like so in /etc/ssh/sshd_config Hence in your case, you want to chroot the adeveloper user into the /var/www/html/website_abc directory. sftp can be easily configured to restrict a local user to a specific subset of the filesystem using a configuration in the However in your case, it would appropriate to provide a virtual chroot implemented by the remote shell service. Unix systems provide the chroot command which allows you to reset the / of the user to some directory in the filesystem hierarchy, where they cannot access "higher-up" files and directories. Here is me looking at all the local users configured in the /etc/passwd file $ cat /etc/passwd I can access lots of stuff, that ideally you would want to restrict from some unknown user who you wish to provide local access to. For example here is me a non-root user on some remote CentOS box $ cd /etcĮ.g. I also learnt that I should never ever give the private key file AWS gave me.īy default services that provide a remote shell, like ssh or telnet, or an interactive remote session for commands like sftp, allow a local user to change into any directory they have permissions for, and retrieve a copy of any file they have access to.Īs a general security configuration this is unfortunate because there are many files and directories which are world-readable of necessity. ssh folder inside /var/www/html/website_abc/ and generate private key and give it to the third-party developers). I managed achieved my goals using OpenSSH (I create. So, how do I stop 'adeveloper' from accessing my other website?
0 Comments
Leave a Reply. |