Best methods for preventing SSH allowing FTP

Troy Settle troy at psknet.com
Wed Aug 20 11:18:23 PDT 2003 

Once upon a time, I used /usr/bin/passwd as the shell (users could
telnet/ftp in to change their passwords).  I then started using
/usr/bin/false.  I now use /sbin/nologin.

On my primary mail and ftp machines, I no longer use the system passwd
facility to manage user accounts, it's all in a MySQL database, which my
billing software manages directly using ODBC.

--
  Troy Settle
  Pulaski Networks
  http://www.psknet.com
  540.994.4254 ~ 866.477.5638
  Pulaski Chamber 2002 Small Business Of The Year
  

> -----Original Message-----
> From: owner-freebsd-isp at freebsd.org 
> [mailto:owner-freebsd-isp at freebsd.org] On Behalf Of Walter Hop
> Sent: Wednesday, August 20, 2003 2:09 PM
> To: Blake Swensen
> Cc: FreeBSD ISP List
> Subject: Re: Best methods for preventing SSH allowing FTP
> 
> [in reply to blake at pyramus.com, 20-8-2003]
> 
> > Anyone have suggestions for the best methods for locking an 
> account so
> > that a user or a group can only ftp/POP/IMAP and prevent all other
> > access.
> 
> We make use of two special shells to limit access and make it 
> more clear
> what an account is used for. These are just shell scripts:
> 
> /usr/local/bin/ftponly
> /usr/local/bin/mailonly
> 
> They just contain something like this:
> 
>     #!/bin/sh
>     echo "No SSH login allowed."
>     exit 1
> 
> For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
> The FTP daemon by default checks if the shell is in 
> /etc/shells so we have
> added the ftponly shellscript to /etc/shells. When people 
> would SSH in,
> they'd get the "No SSH login allowed" message.
> 
> For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
> We have not added this shell to /etc/shells, so FTP and SSH login are
> disallowed while our mailserver (uw-imap and pop3) does not care about
> this. The 'mailonly' shell is never executed, it is just there to make
> administration easier.
> 
> cheers,
> walter
> 
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>

More information about the freebsd-isp mailing list