Best methods for preventing SSH allowing FTP
Troy Settle
troy at psknet.com
Wed Aug 20 11:18:23 PDT 2003
Once upon a time, I used /usr/bin/passwd as the shell (users could
telnet/ftp in to change their passwords). I then started using
/usr/bin/false. I now use /sbin/nologin.
On my primary mail and ftp machines, I no longer use the system passwd
facility to manage user accounts, it's all in a MySQL database, which my
billing software manages directly using ODBC.
--
Troy Settle
Pulaski Networks
http://www.psknet.com
540.994.4254 ~ 866.477.5638
Pulaski Chamber 2002 Small Business Of The Year
> -----Original Message-----
> From: owner-freebsd-isp at freebsd.org
> [mailto:owner-freebsd-isp at freebsd.org] On Behalf Of Walter Hop
> Sent: Wednesday, August 20, 2003 2:09 PM
> To: Blake Swensen
> Cc: FreeBSD ISP List
> Subject: Re: Best methods for preventing SSH allowing FTP
>
> [in reply to blake at pyramus.com, 20-8-2003]
>
> > Anyone have suggestions for the best methods for locking an
> account so
> > that a user or a group can only ftp/POP/IMAP and prevent all other
> > access.
>
> We make use of two special shells to limit access and make it
> more clear
> what an account is used for. These are just shell scripts:
>
> /usr/local/bin/ftponly
> /usr/local/bin/mailonly
>
> They just contain something like this:
>
> #!/bin/sh
> echo "No SSH login allowed."
> exit 1
>
> For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
> The FTP daemon by default checks if the shell is in
> /etc/shells so we have
> added the ftponly shellscript to /etc/shells. When people
> would SSH in,
> they'd get the "No SSH login allowed" message.
>
> For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
> We have not added this shell to /etc/shells, so FTP and SSH login are
> disallowed while our mailserver (uw-imap and pop3) does not care about
> this. The 'mailonly' shell is never executed, it is just there to make
> administration easier.
>
> cheers,
> walter
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
More information about the freebsd-isp
mailing list