Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Hi,
I'm using fun_plug 0.3 by fonz and it's great. However, is there a way to configure dropbear?
There's a security hole which allows any user with ftp access thru ssh to gain access to all dirs, not just the allowed ftp home dir.
I have tried to remove the shell in the /etc/passwd but still i was able to gain access to all dirs even though I was not root, or a permitted user.
I'm not a security expert. Maybe, there's a better way of doing things?
Can anyone shed some light?
Thanks.
Offline
ultrac400 wrote:
There's a security hole which allows any user with ftp access thru ssh to gain access to all dirs, not just the allowed ftp home dir.
I have tried to remove the shell in the /etc/passwd but still i was able to gain access to all dirs even though I was not root, or a permitted user.
This problem has been discussed here: http://dns323.kood.org/forum/t638-SFTP- … ccess.html
Modification of /etc/passwd works if you disable my shell hack for dropbear: http://dns323.kood.org/forum/p4123-2007 … html#p4123
An alternative might be to look for an FTP server that can use a separate user database.
Offline
Thanks Fonz for the reply.
Can you suggest another FTP server, with better monitoring and user password?
the ftp that comes with DNS323 doesn't allow very strong passwords and you can't monitor ftp progress/stats.
Thanks.
Offline
if you chroot debian, I would like to recommend pure-ftpd
it keeps a separate pw database not related to the systems database
Offline
"MySecureShell" works great also if chrooted in debian.
Offline