I need to be able to allow specific system accounts to ftp to a box. As far as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in order for their ftp login to work. I do *not* however want them to be able to log into a shell or ssh session. I cannot restrict by IP. What's the best way to accomplish this? Thanks, Scott
SSHD_config can be tweaked to block them or just block a whole group http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By de- fault, login is allowed for all groups. DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER at HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Am So, den 29.01.2006 schrieb techlist um 22:31:> I need to be able to allow specific system accounts to ftp to a box. As far > as I can tell I have to give them a shell in /etc/passwd (i.e. /bin/bash) in > order for their ftp login to work. I do *not* however want them to be able > to log into a shell or ssh session. I cannot restrict by IP. What's the > best way to accomplish this?> ScottPretty simple: don't give the FTP users a login shell. CentOS provides 2 styles of them: /bin/false and /sbin/nologin. Depending on the FTP daemon you use you may need to add the not login shell as a valid shell into /etc/shells; or configure the FTPd differently. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 22:42:44 up 56 days, 3:19, load average: 0.86, 0.79, 0.57 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: <http://lists.centos.org/pipermail/centos/attachments/20060129/2c2222f6/attachment-0005.sig>
Simplest way I can think of - Use host keys instead of usernames and passwords to login via SSH. All vsftpd users will not be able to login via SSH with their user/pass. On Sunday 29 January 2006 4:31 pm, techlist wrote:> I need to be able to allow specific system accounts to ftp to a box. As > far as I can tell I have to give them a shell in /etc/passwd (i.e. > /bin/bash) in order for their ftp login to work. I do *not* however want > them to be able to log into a shell or ssh session. I cannot restrict by > IP. What's the best way to accomplish this? > > Thanks, > Scott > >
techlist wrote:> I need to be able to allow specific system accounts to ftp to a box. As > far as I can tell I have to give them a shell in /etc/passwd (i.e. > /bin/bash) in order for their ftp login to work. I do *not* however > want them to be able to log into a shell or ssh session. I cannot > restrict by IP. What's the best way to accomplish this?You can edit your /etc/pam.d/vsftpd and comment/remove pam_shells.so, something like: #auth required pam_shells.so This will allow the login without shell access. -- Alin Osan
Hi guys: Thanks for the input and helpful suggestions. I prefer the solution that allows a FTP login without a shell. A couple of you suggested I use something like /sbin/nologin and then FTP would work, but no shell would be allowed Actually, that is the first thing I tried, as nologin is my default shell when I add users. I have to add /bin/bash to get vsftpd to accept the conection. So I checked /etc/shells and /sbin/nologin is there. Apparantly that won't work. I have other services/users I might want to use with shells from time to time so I want the defalut to be "no shell unless I say so", not "get a shell unless I say no". Preferably controlled at teh password file. So, I tried Alin Osan's suggstion of modifying the pam file, and that *did* work. Thank you very much Alin. Much appreciated. Scott