A friend of mine says giving people SFTP and therefore jailed shell access is a bad idea. However, I think you need a port open for FTPES to work though.
Which is the better connection method?
SnapOverflow
A friend of mine says giving people SFTP and therefore jailed shell access is a bad idea. However, I think you need a port open for FTPES to work though.
Which is the better connection method?
It's perfectly possible to give someone SCP/SFTP-access without giving them a shell.
What I like about SFTP:
What I like about FTPS:
Depends on what you think is important...
You can use the ChrootDirectory and "Subsystem internal-sftp" directive to constrain user without giving them any possibility of starting a shell. There is no reason why it should be less secure than FTPS. You should also disable TCPForwarding and related options.
Ideally, you could have a different sshd process doing SFTP-only on a different port or interface to strongly differentiate from admin ssh. This is needed when running RHEL5 IIRC because it has an older openssh, but on the newer versions there are several more directives to constrain users based on various criterions.
Your friend is right in one respect: jailed shell access is no good. If you don't do what I just described, and merely chroot the users while allowing them shell access in any way, you are not secure. It is unnecessary nowawadays anyway, so it shouldn't be a problem.