Locking down SFTP (Leopard)

Discussion in 'macOS' started by kd5ftn, Mar 17, 2008.

  1. kd5ftn macrumors newbie

    Joined:
    Dec 11, 2006
    #1
    I'm running Leopard and have set up my machine to be accessed from the internet via SSH, and SSH only.

    I've secured my SSH connection by only allowing public key authentication and disabling password authentication. I thought I was being pretty safe - until I realized that I could still SFTP in by only using a password! :confused:.

    I talked to a linux friend with a similar setup, yet trying to SFTP in with a password doesn't work. I also compared sshd_config's with his, and even copied it (minor changes to path's for my system).

    After extensive searching, Googling, and experimentation I can not figure out how to get SFTP to stop accepting passwords.
     
  2. TEG macrumors 604

    TEG

    Joined:
    Jan 21, 2002
    Location:
    Langley, Washington
    #2
    Can you not just setup the Firewall to block the SFTP port?

    TEG
     
  3. dvd macrumors regular

    dvd

    Joined:
    Oct 12, 2007
    Location:
    Massachusetts
    #3
    TEG, SFTP is implemented through the same port used for SSH, port 22 by default. So you can't block one without blocking the other. Port 115 is Simple FTP, not Secure FTP.. Simple FTP is a stale protocol nobody uses anymore (if ever.) It's misleading since it uses the same acronym, SFTP.

    kd5ftn, good question, you shouldn't be seeing what you are seeing. The sftp login should be controlled by the same settings as ssh. You might try adding, successively, -v, -vv, and -vvv to your sftp sessions to increase the verbosity of the login sequence and see if that helps at all. You could also try turning up the LogLevel in sshd_config and see if that sheds any light.

    My first thought was it might have something to do with PAM, but it appears that PAM is not used by sshd in the stock Leopard config.
     

Share This Page