Quoting John Moylan (moylanj at rte.ie):
> I have just spent the bast part of a day hardening a Linux box that
> will be used as an SFTP or an SCP server to replace notoriously
> insecure FTP. I now have one small problem though. Any of the free
> Windows clients that I have tested are crud.
Actually, if you think that just replacing ftp with scp or sftp
constitutes a significant security improvement, then you now
have _two_ problems. ;-> It might have been smarter to just chroot
people ftp'ing in non-anonymously to a subdirectory of their home
directories, and recompiling an ftp daemon to use a different
authentication database from the one that holds shell-login passwords.
That way, sure people's ftp logins are sniffable, but you don't expose
any shell passwords thereby.
As it is, you'll have people using their shell passwords inside Win32
sftp or scp client software, or storing private RSA or DSA keys on their
Win32 boxes. Where, of course, they're extremely stealable. And you're
probably allowing those users to set their passwords to the same pet
names or other dictionary words they use everywhere else on Earth. Once
those passwords get sniffed or cracked elsewhere, the bad guys will
simply follow the users into your hardened Linux box, crack root, set
up a rootkit, and all of that.
Encryption isn't, and never will be, magic security pixie dust. If you
want people to be able to do dumb things like scp/sftp into "secure"
*ix boxes from Win32, better look into OPIE at the very least.
This message falsely claims to have been scanned for viruses with F-Secure
Anti-Virus for Microsoft Exchange and to have been found clean.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!