Best methods for preventing SSH allowing FTP
Aaron Daubman
daubman at ll.mit.edu
Wed Aug 20 09:13:43 PDT 2003
Just be careful of certain FTP programs if you take this approach.
For ProFTPD, you would then need to set 'RequireValidShell off' in the
conf file.
The method I use is a combination of this and others. It might be
worthwhile to re-think this, as it can become a management nightmare for
large systems. It's worked fine for me so far, however.
Using group membership:
SSH:
AllowGroups allowssh
DenyGroups denyssh
ProFTPD (others might use /etc/ftpusers):
<Limit LOGIN>
DenyGroup denyftp
</Limit>
Shell: /sbin/nologin
Mail: Everybody currently gets mail, but that could easily be changed by
moving to the sasl pw db instead of implementing PAM...
This gives the granularity of explicitly defining which groups of users
get access to what services...
..I'm sure I'm forgetting other settings, but that should give you a
good idea of the options available.
Most programs have built-in group as well as user permissions =)
Cheers,
~Aaron
Scott Blaydes wrote:
> Blake Swensen wrote:
>
>> Anyone have suggestions for the best methods for locking an account so
>> that a user or a group can only ftp/POP/IMAP and prevent all other
>> access.
>>
>> Blake
>
>
> Give them a shell of /bin/false. You will need to actually create a
> file called /bin/false, and add it to /etc/shells. That will allow
> ftp/pop/imap and not allow them to log in via telnet/ssh.
>
> Scott Blaydes
>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
More information about the freebsd-isp
mailing list