Re: Best methods for preventing SSH allowing FTP

From: Walter Hop (freebsd_at_walter.transip.nl)
Date: 08/20/03

  • Next message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)" 
    Date: Wed, 20 Aug 2003 20:09:24 +0200
To: Blake Swensen <blake@pyramus.com>

    [in reply to blake@pyramus.com, 20-8-2003]

    > Anyone have suggestions for the best methods for locking an account so
    > that a user or a group can only ftp/POP/IMAP and prevent all other
    > access.

    We make use of two special shells to limit access and make it more clear
    what an account is used for. These are just shell scripts:

    /usr/local/bin/ftponly
    /usr/local/bin/mailonly

    They just contain something like this:

        #!/bin/sh
        echo "No SSH login allowed."
        exit 1

    For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
    The FTP daemon by default checks if the shell is in /etc/shells so we have
    added the ftponly shellscript to /etc/shells. When people would SSH in,
    they'd get the "No SSH login allowed" message.

    For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
    We have not added this shell to /etc/shells, so FTP and SSH login are
    disallowed while our mailserver (uw-imap and pop3) does not care about
    this. The 'mailonly' shell is never executed, it is just there to make
    administration easier.

    cheers,
    walter

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)"

    Relevant Pages