Best methods for preventing SSH allowing FTP
Walter Hop
freebsd at walter.transip.nl
Wed Aug 20 11:08:50 PDT 2003
[in reply to blake at pyramus.com, 20-8-2003]
> Anyone have suggestions for the best methods for locking an account so
> that a user or a group can only ftp/POP/IMAP and prevent all other
> access.
We make use of two special shells to limit access and make it more clear
what an account is used for. These are just shell scripts:
/usr/local/bin/ftponly
/usr/local/bin/mailonly
They just contain something like this:
#!/bin/sh
echo "No SSH login allowed."
exit 1
For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
The FTP daemon by default checks if the shell is in /etc/shells so we have
added the ftponly shellscript to /etc/shells. When people would SSH in,
they'd get the "No SSH login allowed" message.
For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
We have not added this shell to /etc/shells, so FTP and SSH login are
disallowed while our mailserver (uw-imap and pop3) does not care about
this. The 'mailonly' shell is never executed, it is just there to make
administration easier.
cheers,
walter
More information about the freebsd-isp
mailing list