On Thu, May 18, 2000 at 10:45:43AM +0000, Mats Rynge wrote: > Hi! > > How can I limit some of my users to be able to use FTP but not be able > to use Telnet. I thought this was possible by changing the shell to > /bin/true, but I didn't work. I'm running potato and I'm using proftp as > FTP server. define `didn't work' do you mean they were still able to telnet or that they could no longer login to anything including ftp? if it was the latter you need to run: echo "/bin/true" >> /etc/shells if it was the former that would be very strange indeed, and would indicate something is quite broken if the shell feild of /etc/passwd is being ignored... however a more secure method to restrict users to ftp only IMO is with pam: in /etc/pam.d/login i have: auth required pam_listfile.so item=user sense=deny \ file=/etc/deny.shell onerr=succeed in /etc/deny.shell is a list of usernames that are not permitted to login interactivly, if they attempt to login with telnet or on the console it will seem as though they are entering an incorrect password. you will need to add this line to any other pam service that you wish to disallow for ftp only accounts. you should however combine this with setting the shell to /bin/true or nologin [1] in case you happen to have something that does not use pam. also don't use telnet, use ssh. [1] the nologin program i refer to comes from OpenBSD, it is very simple, it prints This account is currently not available. and exits, it will also read /etc/nologin.txt if it exists and print its contents instead. the OpenBSD source compiles fine on GNU/Linux. Debian also has a similar program packaged called falselogin but it is significantly more complicated then the OpenBSD version. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpwfB2T31xfQ.pgp
Description: PGP signature