It is fair to jail my SFTP users to their home directory?
origins . I'm running an Ubuntu 9.04 (residence) Server on my LAN. I presently utilize it to store little internet applications, images, some subversion database and also things like that. My (couple of) customers are close friends of mine and also I constantly gave them with an incarcerated FTP accessibility to their home directory. Currently, lately I became aware that FTP is not so safe and secure given that passwords are not covered up when the link is developed and also hence are conveniently sniffable.
I determined to address this trouble making use of SFTP yet there is a concern that maintains me asking yourself and also I require your point of view concerning it.
Making use of SFTP the accessibility to the filesystem relies on the SSH setups. So to jail customers to their home directory for SFTP I need to jail them also when they make use of SSH, my inquiry is: is this a preferable arrangement? It is not a constraint on an UNIX customer usual - feeling advantages?
There is a second concern that is: exists an uncomplicated means to complete that under Ubuntu 9.04 Server?
chrooting customers making use of ssh is not a preferable configuration most of the times. When they are incarcerated right into their residence dir, they will not have the ability to make use of any kind of programs outside their residence dir. This makes unix virtually pointless as a shell web server.
You can make use of FTPS as opposed to SFTP/SCP, which will certainly send passwords over SSL, yet makes use of an ssh web server, permitting you to chroot them for documents transfer, yet except login (although little is obtained if you just chroot their documents transfers, and also they will certainly still have the ability to scp information from the equipment).
If they currently have actually unjailed ssh accessibility after that there would certainly be absolutely nothing to obtain by limiting sftp also if you can do it.
Certain, there was an excellent factor to chroot the ftp web server, yet If I currently have ssh accessibility fully equipment there is no extra protection threat to me having sftp accessibility.