Denying access to SSH but allow access to FTP

nemesisza · 03-08-2004, 07:12 AM

To anyone willing to help,

I would like to disallow access to SSH for certain users, but still allow them to access the server via FTP (running ProFTPd).
I have tried specifying /bin/false as the users default shell script, and this works, but users are then not able to access FTP.

Thanks in advance for any help.

Nemesis

Hangdog42 · 03-08-2004, 10:20 AM

In the sshd configuration file you can add an AllowUsers line. Basically, any user that isn't listed on that line (space separated) doesn't get to log into ssh.

unSpawn · 03-09-2004, 11:49 AM

Another way to deny access in SSH, provided your system supports PAM, is to edit /etc/pam.d/sshd and add pam_listfile:
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/pam.d/acl/allow_ssh onerr=fail
Now list the names of the accounts, one on a line, you want to allow|deny (see "sense") in /etc/pam.d/acl/allow_ssh

FTP uses cleartext passwords and since that ain't secure you could use an Ftp daemon that can use PAM with external, non-system auth, like Vsftpd. Works kinda like the listfile option, the Vsftpd documentation is very clear on how to set it up.

groo1887 · 03-11-2004, 02:35 AM

Sweet thanks for your help, I wanted to know the same info. I did it by just adding the AllowUsers in /etc/ssh/sshd_config.

-Amir

nemesisza · 03-14-2004, 09:57 AM

Thanks for your help guys

Inexactitude · 03-14-2004, 10:25 PM

About giving users /bin/false and then not being able to use ftp, proftpd defaults to requiring a valid shell to access the server. So if you just add RequireValidShell off to your proftpd conf file, you would have been set.