[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting user access in ftp, ssh, samba, etc... 'passwords'



On Sat, Mar 25, 2000 at 05:51:06PM -0900, Adam Shand wrote:

> i'm not sure what you're options are for samba as i haven't used it for a
> long time ... 
> 
> for ssh you have two ways.  give them a shell which is useless (/bin/false
> or /bin/true or make your own, eg. /usr/local/bin/nossh).  then when they
> log in they will be immediately logged out again.  the other option is to
> use the "AllowGroups" option in the sshd_config file.  create a group called
> ssh, and add it to the AllowGroups option and then only people in the ssh
> group will be able to log in.
> 
> for ftp pretty much the only way to do this is via their shell.  ftp will
> only allow people to login whose shell is listed in /etc/shells.  give users
> you don't want to have ftp access a shell like /bin/false or
> /usr/local/bin/noftp and make sure that shell never gets added to
> /etc/shells.  more advanced ftp daemons like proftpd or ncftpd may have
> other options allowing you to do this via groups like ssh but i've never
> investigated it.

usually ftp daemons support /etc/ftpusers, any user listed is denied
ftp access.

the OpenBSD ftpd (the only safe one IMO) supports this via PAM for the
linux port.

wu-ftpd also supports /etc/ftpusers but it gives out root like candy,
stay away :)

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


Reply to: