First the OpenSSHd question:

By default the all users are allowed to login. If I add the line to my sshd_config file:
Would foo be the only one able to login? Or would I need to put something like:
There is a little bit of ambiguity on how these work with each other in the documentation I've read.


And now the ProFTPd question:

The problem to me simply seems to be similar to that of the sshd question; a lack of documentation/example of the AllowUser/DenyUser type commands. Especially something about if they can do something similar to a OpenSSHd configuration of AllowUsers where it accepts a host as well as a user name.

Now, after a short rambling...here is the exact issue.

I need to create a user account that can login from the internal network, but cannot be logged into from the outside world. What would be the proper method to do this given I'm running ProFTPd on Mandrake?

Thanks in advance!

If mandrake uses PAM, I would suggest using the "Pluggable Authentication Module" to filter who and who cannot use services. PAM is a huge beast so take your time and do it right.

Will definitely look into that. Thanks for the tip.

If anyone has answers to the previous though, that would still be welcomed... I'm still curious.

The more I look at it, the more I think that PAM was an excellent direction to send me in. It's something I knew of, and knew existed on our system, but I've never tinkered with it at all really (never really had a need). Just wanted to say thanks again.

Well, PAM is a two-edged sword. If you need the flexibility, then it's good. If you're not using the features, than you should disable it, because it can allow for vulnerabilities in lots of network daemons if PAM hasn't been updated with security patches, or if the daemons have bad handling of PAM authentication. There have been quite a few application vulnerabilities that only applied if PAM auth was enabled.

For anyone else who was curious... The biggest issue I had with the documentation is that I didn't see all of the documentation at once, and because at times, I can be thick skulled, I didn't put 2 and 2 together for a while.

The ProFTPd config addition needed for this is as follows:

What this does:
Makes sure the allow-ables are allowed in before it checks who to turn away
Allows everyone from the local network to login
Allows all users that belong to the ftpusers group to login (for all accounts that need to be accessible from outside)
Denys everyone else

This seems to have achieved the desired effect without the PAM module I was planning on writing (chort's warning made me step back, and getting lazy really prevented it). But if anyone has any suggestions or sees any flaws, do enlighten me.

I've solved the SSH problem I had in a different manner, but I'm still probably going to toy with it to get this same sort of effect with OpenSSHd, and will post those findings as well unless someone beats me to it. I've answered some of my own questions, but I still haven't achieved the desired results. The things I have found out are using DenyUsers * with AllowUsers is pointless, as AllowUsers makes it so only the users in the list that can get in...so the DenyUsers only helps to booger things up. And the other thing is simply that AllowUsers using the USER@HOST method doesn't work exactly as I expect it to.

The sshd_config equivalant to the ftpd configuration is this:
alloweduser1 and alloweduser2 are the user accounts that need to be allowed access from anywhere.

This will result in any account being able to be ssh'ed into from the local net, but restrict access from outside to only the users in the list (separated by spaces).

Special Note!:
It seems the reason I was having trouble before was due to an out of date version of OpenSSH! AllowUsers doesn't act the same with sshd_config,v 1.59! The config line above was tested with sshd_config,v 1.69 (OpenSSH 3.8 was the actual OpenSSH version tested with, the latest as of this posting, I believe).