[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting user access in ftp, ssh, samba, etc... 'passwords'



On Sat, Mar 25, 2000 at 05:46:00PM +1100, Damon Muller wrote:
> Quoth Percival, 
> > I want to have easy freedom in limiting user access.  I have killed
> > telnetd, and only sshd.  I want to allow some users access through
> > ssh, some through ftpd, and some through samba.  How can I turn off
> > user access through ssh, but keep their account, and allow them access
> > through ftp?  Can I allow users access to shares through samba, and
> > allow them to ftp in, but not ssh or telnet?
> 
> This doesn't really address the issue of keeping communications secure,
> and isn't an answer to all of your problems, but...
> 
> One way you can disallow SSH but allow FTP for a user is to change their
> login shell to something like /bin/false, and set /bin/false as a valid
> login shell in /etc/shells. This will allow them to SSH in, but won't
> actually let them have an interactive shell (ie., they'll be bounced
> back out as soon as they have authenticated). Most FTP clients will only
> allow FTP logins if the user has a valid shell listed in /etc/shells, so
> FTP will still let them in if /bin/false is in /etc/shells.

i would recommend using /bin/true for this purpose rather then
/bin/false.  /bin/false is used on all the system accounts that should
not have an interactive user or ever be logged into.  so i prefer to
keep /bin/false OUT of /etc/shells.  

another option is falselogin which prints out a message before booting
them off (which you can configure).

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpEY9TMR5b5R.pgp
Description: PGP signature


Reply to: