LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-08-2004, 07:12 AM   #1
nemesisza
Member
 
Registered: Apr 2003
Distribution: Slackware 9.1
Posts: 36

Rep: Reputation: 15
Denying access to SSH but allow access to FTP


To anyone willing to help,

I would like to disallow access to SSH for certain users, but still allow them to access the server via FTP (running ProFTPd).
I have tried specifying /bin/false as the users default shell script, and this works, but users are then not able to access FTP.

Thanks in advance for any help.

Nemesis
 
Old 03-08-2004, 10:20 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
In the sshd configuration file you can add an AllowUsers line. Basically, any user that isn't listed on that line (space separated) doesn't get to log into ssh.
 
Old 03-09-2004, 11:49 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,947
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
Another way to deny access in SSH, provided your system supports PAM, is to edit /etc/pam.d/sshd and add pam_listfile:
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/pam.d/acl/allow_ssh onerr=fail
Now list the names of the accounts, one on a line, you want to allow|deny (see "sense") in /etc/pam.d/acl/allow_ssh

FTP uses cleartext passwords and since that ain't secure you could use an Ftp daemon that can use PAM with external, non-system auth, like Vsftpd. Works kinda like the listfile option, the Vsftpd documentation is very clear on how to set it up.
 
Old 03-11-2004, 02:35 AM   #4
groo1887
LQ Newbie
 
Registered: Feb 2004
Posts: 4

Rep: Reputation: 0
Sweet thanks for your help, I wanted to know the same info. I did it by just adding the AllowUsers in /etc/ssh/sshd_config.

-Amir
 
Old 03-14-2004, 09:57 AM   #5
nemesisza
Member
 
Registered: Apr 2003
Distribution: Slackware 9.1
Posts: 36

Original Poster
Rep: Reputation: 15
Thanks for your help guys
 
Old 03-14-2004, 10:25 PM   #6
Inexactitude
Member
 
Registered: Oct 2003
Distribution: Slackware 12.2, Ubuntu 9.04
Posts: 477

Rep: Reputation: 30
About giving users /bin/false and then not being able to use ftp, proftpd defaults to requiring a valid shell to access the server. So if you just add RequireValidShell off to your proftpd conf file, you would have been set.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftp - Can access FTP within office network BUT cant access via Internet! kokfei77 Red Hat 2 03-07-2012 07:24 PM
only FTP access to user not ssh or telnet farhank Linux - Security 3 10-27-2005 09:30 AM
Web Server denying access. cjkeeme Linux - Networking 4 05-15-2005 04:38 PM
denying pop access remotely slack66 Linux - Security 1 01-28-2004 06:18 PM
limiting users who can gain ftp or ssh access bluefmc427 Linux - Security 1 07-03-2003 04:17 AM


All times are GMT -5. The time now is 12:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration