On Sun, Apr 05, 2009 at 11:51:38PM -0500, Mike Miller wrote: > On Mon, 6 Apr 2009, ecrist at secure-computing.net wrote: > > > SFTP doesn't require a real shell. With mysql or LDAP back ends, you > > don't need to put the user entries in the password file. I'd recommend > > using your standard password file and set the shell to /nonexistent or > > scponly (there's a package for that one). > > What does it mean to use "mysql or LDAP back ends" for sftp? When a > connection comes to port 22, then what happens? I'm asking because I > don't know. I would assume there is a username/password kind of exchange > and a connection is made. 'back end' in this context means the process which authenticates the user. By default the users are authenticated against PAM which by default is configured to use /etc/passwd + /etc/shadow. You can either configure PAM to use MySQL or LDAP to store the passwords, or you can configure the FTP daemon itself to use MySQL or LDAP for passwords. > Is the sftp/mysql scheme better than using secure http so that users can > connect using a web browser? From the usability perspective? It depends if you can afford a real certificate or not. If you use a self-signed certificate with Firefox you might scare the less sophisticated users away. But overall I say the web application will be more user friendly and easier to deploy. The end-users don't need to install and update any client application. Cheers, florin -- Bruce Schneier expects the Spanish Inquisition. http://geekz.co.uk/schneierfacts/fact/163 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20090406/a3027767/attachment.pgp