On 2010-10-21 09:54, Ron Johnson wrote: > On 10/21/2010 02:35 AM, Stanisław Findeisen wrote: >> What are the best practices for restricting user accounts to e-mail + >> passwd only? >> >> Is allowing SSH access and setting user shell to passwd the way to go? >> > > If the machine will just be an email server, I'd look into virtual > accounts. > > http://www.debuntu.org/how-to-virtual-emails-accounts-with-postfix-and-dovecot Okay, but does SSH+passwd + Postfix + Dovecot (no virtual accounts) leave any inherent security holes? Like the ability to do scp or...? My testing reveals that scp doesn't work with SSH+passwd: > scp local-file someone@...:/somewhere/... > someone@...'s password: > > passwd: invalid option -- c > Usage: passwd [options] [LOGIN] > > Options: > -a, --all report password status on all accounts > -d, --delete delete the password for the named account > -e, --expire force expire the password for the named account > -h, --help display this help message and exit > -k, --keep-tokens change password only if expired > -i, --inactive INACTIVE set password inactive after expiration > to INACTIVE > -l, --lock lock the password of the named account > -n, --mindays MIN_DAYS set minimum number of days before password > change to MIN_DAYS > -q, --quiet quiet mode > -r, --repository REPOSITORY change password in REPOSITORY repository > -S, --status report password status on the named account > -u, --unlock unlock the password of the named account > -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS > -x, --maxdays MAX_DAYS set maximim number of days before password > change to MAX_DAYS > > lost connection What is this "c"? What is scp doing? Does scp assume that remote shell is GNU Bash, and tries to pass command line arguments to it? My local GNU Bash manual says: > -c string If the -c option is present, then commands are read from string. If there are arguments after the > string, they are assigned to the positional parameters, starting with $0. so I think that would make sense... This -c option is probably POSIX? Perhaps Debian SSH server only allows secure authentication + communication and the rest is just to execute user shell with command line parameters supplied by the client end. Is this correct? -- http://people.eisenbits.com/~stf/ OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A Like hardship, risk & challenge? --- Follow Jesus!!
Description: OpenPGP digital signature