[IMC-Tech] Request for "awarexfr" account for updating AWARE web
site -- either FTP or sftp access
Stuart Levy
slevy at ncsa.uiuc.edu
Sun Dec 17 12:05:03 CST 2006
Hello all,
It appears that the blogger.com route for updating the AWARE web site
(http://www.anti-war.net/), hosted on zeco, hasn't been working for a while.
I guess the old imsahp had a special account, "awarexfr",
which allowed chrooted FTP access to a single directory
"/var/www/aware/awarexfr", where the blogger.com software
knew to update a single file, aware-annc.html.
I'm writing to request creating a new "awarexfr" account.
It could allow either FTP access if you like (though I see that zeco
isn't running an FTP server now) or "sftp" access.
Security impact: the password to the awarexfr account would be known in
a hidden place on blogger.com. (This was true before, too.)
In this respect, allowing chrooted FTP access might even be more
secure than allowing sftp; if somehow the password leaked out,
an FTP user would only be able to see or change the AWARE web site,
while a normal sftp user could read any publicly-readable file on zeco.
I see that chrooted sftp is possible (see chrootssh.sourceforge.net,
with patches for OpenSSH's session.c file) but it'd need to be set up,
and would need to replace zeco's installed sshd/sftp-server.
If you like this idea, I'd be happy to build the pieces if someone
else would install them.
If I were sysadmin, I'd vote for plain chrooted FTP for this case,
with the FTP server configured to allow only the "awarexfr" account
to log in.
Anyway, the request:
new account "awarexfr"
member of "aware" group
home dir "/var/www/aware/awarexfr" (which already exists; no dot-files needed)
shell might be "/usr/libexec/sftp-server" if sftp sounds best,
else "/bin/sh"
password: please let me (slevy at ncsa.uiuc.edu) know if you're doing this
and we can communicate a password by phone.
Thanks.
Stuart Levy, AWARE webmaster
More information about the IMC-Tech
mailing list