I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this?
Thanks, Scott
SSHD_config can be tweaked to block them or just block a whole group http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By de- fault, login is allowed for all groups.
DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Am So, den 29.01.2006 schrieb techlist um 22:31:
I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this?
Scott
Pretty simple: don't give the FTP users a login shell. CentOS provides 2 styles of them: /bin/false and /sbin/nologin. Depending on the FTP daemon you use you may need to add the not login shell as a valid shell into /etc/shells; or configure the FTPd differently.
Alexander
Simplest way I can think of -
Use host keys instead of usernames and passwords to login via SSH. All vsftpd users will not be able to login via SSH with their user/pass.
On Sunday 29 January 2006 4:31 pm, techlist wrote:
I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this?
Thanks, Scott
techlist wrote:
I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this?
You can edit your /etc/pam.d/vsftpd and comment/remove pam_shells.so, something like:
#auth required pam_shells.so
This will allow the login without shell access.
On Sun, 2006-01-29 at 21:57, Alin Osan wrote:
techlist wrote:
I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this?
You can edit your /etc/pam.d/vsftpd and comment/remove pam_shells.so, something like:
#auth required pam_shells.so
This will allow the login without shell access.
Or, you give then a shell like /bin/false that won't work as a login shell and add it to the list in /etc/shells so the ftp server's shell check will succeed.
-
Alexander Dalloz -
Alin Osan -
Les Mikesell -
ryan -
techlist -
William Suffill