Re: Best methods for preventing SSH allowing FTP

From: Walter Hop (freebsd_at_walter.transip.nl)
Date: 08/20/03

Next message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)"

Previous message: Evren Yurtesen: "YP/NIS server in 4.8 and client 5.1 problem"
In reply to: Blake Swensen: "Best methods for preventing SSH allowing FTP"
Next in thread: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
Reply: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
Reply: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 20 Aug 2003 20:09:24 +0200
To: Blake Swensen <blake@pyramus.com>

[in reply to blake@pyramus.com, 20-8-2003]

> Anyone have suggestions for the best methods for locking an account so
> that a user or a group can only ftp/POP/IMAP and prevent all other
> access.

We make use of two special shells to limit access and make it more clear
what an account is used for. These are just shell scripts:

/usr/local/bin/ftponly
/usr/local/bin/mailonly

They just contain something like this:

    #!/bin/sh
    echo "No SSH login allowed."
    exit 1

For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
The FTP daemon by default checks if the shell is in /etc/shells so we have
added the ftponly shellscript to /etc/shells. When people would SSH in,
they'd get the "No SSH login allowed" message.

For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
We have not added this shell to /etc/shells, so FTP and SSH login are
disallowed while our mailserver (uw-imap and pop3) does not care about
this. The 'mailonly' shell is never executed, it is just there to make
administration easier.

cheers,
walter

_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

Next message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)"

Previous message: Evren Yurtesen: "YP/NIS server in 4.8 and client 5.1 problem"
In reply to: Blake Swensen: "Best methods for preventing SSH allowing FTP"
Next in thread: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
Reply: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
Reply: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Specify shell at ssh login, not appearing in w, who or last output
... I am having an unusual problem whereby if I specify the shell during ... an ssh login, I do not appear in the w, who or last output. ... I've tried this on Solaris 9 and Solaris 10, ... stable Ubuntu Server and the current stable Debian. ...
(comp.security.ssh)
RE: Best methods for preventing SSH allowing FTP
... I used /usr/bin/passwd as the shell (users could ... On my primary mail and ftp machines, I no longer use the system passwd ... > For FTP accounts, we set the user's shell to /usr/local/bin/ftponly. ... > they'd get the "No SSH login allowed" message. ...
(freebsd-isp)
Re: Specify shell at ssh login, not appearing in w, who or last output
... I am having an unusual problem whereby if I specify the shell during ... an ssh login, I do not appear in the w, who or last output. ... I've tried this on Solaris 9 and Solaris 10, ...
(comp.security.ssh)
Re: No shell scripts ...
... I want behaviour like sourceforge where ... DE> you get a ssh login to use with cvs, but if you do, ... DE> out stating you are not allowed a shell. ...
(comp.security.ssh)