sftp password

I manage a server that must provide outside access for all users. Due
to being hacked a few times on a Solaris box, I have switched over to a
Linux system which I understand security issues on somewhat better. As
part of the switch, I also no longer allow telnet and ftp but depend on
SSH.

With this new setup, I've had difficulty allowing newly created users
to access the system without a password so use a generic password that
allows an initial login requiring the user to change it immediately.
This works via the .bashrc calling another script. The second script
deletes itself after a successful password change. It works well and
thanks to "if", gives no errors when the second script no longer
exists.

This leaves one problem, however with sftp. Since there is a valid
password for the user account, a person can connect to the server using
sftp without first changing the generic password. What I would like to
do to solve this issue is disallow connection if the password has not
been changed. Ideally, I could set a configuration parameter to not
allow the particular password for sftp. Or, can I check for the
existence of the secondary script and not allow access via sftp if it
exists?

--
Stan McCann "Uncle Pirate" http://stanmccann.us/pirate.html
Webmaster/Computer Center Manager, NMSU at Alamogordo
http://alamo.nmsu.edu/ There are 10 kinds of people.
Those that understand binary and those that don't.

> I manage a server that must provide outside access for all users. Due
> to being hacked a few times on a Solaris box, I have switched over to a
> Linux system which I understand security issues on somewhat better.

That's not true. Certain Linux distributions might have safer default
installations but really any *nix system becomes eash to gain
unauthorized entry to under similar conditions. I do not think the Linux
kernel is any more secure than say the Solaris, FreeBSD or OpenBSD
kernels.

> This leaves one problem, however with sftp. Since there is a valid
> password for the user account, a person can connect to the server using
> sftp without first changing the generic password. What I would like to
> do to solve this issue is disallow connection if the password has not
> been changed.

sftp works via the subsystem, a program as defined in sshd_config e.g.
/usr/libexec/sftp-server

You can make use of the *nix security model to control access to which
users are allowed to connect via sftp. I tested this out with OpenSSH 3.9
and it worked nicely... create a group like sftpuser and then change the
permissions on the sftp-server binary accordingly.

chgrp sftpuser /usr/libexec/sftp-server
chmod 750 /usr/libexec/sftp-server

Now only members of group 'sftpuser' can sftp into your system. By
default your users won't be a member of this group, so although they can
ssh in they will not be able to sftp in. You can either manually add
confirmed users to the sftpuser group, or come up with a script solution.
A script solution might involve scanning syslog messages for indication
that a user changed their password.

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/