There's consequences no matter what course of action you take. I would say
generally SSH is a secure service (assuming you update your server regularly)
but be aware:
a) SSH scans/probes are very common right now. Accounts with very bad
passwords may get compromised by these worms. Moving to a non-standard port
would circumvent this.
b) If you allow ssh-keys (default), then you may have users who create
unprotected keys. Those keys will get compromised; people who don't set
passwords on keys tend to have other bad security practises too. Once a
user's key is compromised, then their account on your systems is next.
c) SSH1 is susceptible to MITM attacks and there are fewer and fewer cases
where SSH1 is needed so you should ensure your server only uses SSH2 by
having this line in your sshd_config:
Protocol 2
In any case, this is only granting user-level access. This is enough for the
attacker to run spam-bots and such or try escalation attacks, but it's not
super-user access. Those are the weaknesses I am aware of so if anyone knows
of other risks running SSH, please pipe-up.
On Wednesday 14 March 2007 07:40, you wrote:
> They are using a GUI SFTP client so it easier then command line or VPN.
>
> Adam
>
> On 3/13/07 9:14 PM, "David Muszynski" <email@hidden> wrote:
> > On Mar 13, 2007, at 3:36 PM, Adam Gerson wrote:
> >> I know but I have a few non tech staff users that want access to our
> >> file
> >>
> >>
> >> server who are competent enough to use an SFTP or SCP client with
> >> detailed
> >>
> >>
> >> instructions, but to set up a VPN we have found it takes a few more
> >> steps
> >>
> >>
> >> like editing their home routers to allow vpn passthrough and I think it
> >> goes
> >>
> >>
> >> beyond a few of them. Look for a safe, but not totally complicated
> >> solution
> >>
> >>
> >> to remote file access.
> >>
> >>
> >>
> >>
> >>
> >> Adam
> >
> > Teach them what they need to know or suffer the consequences, really your
> > only choices. Anyone competent enough to SSH should have no problems
> > setting up a key, or VPN connection.
> >
> > --
> > Thanks,
> > David
> > http://www.FloridaPets.org
> > 321.961.5281
> >
> >
> >
> >
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > Macos-x-server mailing list (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> > http://lists.apple.com/mailman/options/macos-x-server/email@hidden
> >
> > This email sent to email@hidden
--
Dominic Lepiane
The IRMACS Centre
Simon Fraser University
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
