Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-08-2004, 08:12 AM   #1
Registered: Apr 2003
Distribution: Slackware 9.1
Posts: 36

Rep: Reputation: 15
Denying access to SSH but allow access to FTP

To anyone willing to help,

I would like to disallow access to SSH for certain users, but still allow them to access the server via FTP (running ProFTPd).
I have tried specifying /bin/false as the users default shell script, and this works, but users are then not able to access FTP.

Thanks in advance for any help.

Old 03-08-2004, 11:20 AM   #2
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
In the sshd configuration file you can add an AllowUsers line. Basically, any user that isn't listed on that line (space separated) doesn't get to log into ssh.
Old 03-09-2004, 12:49 PM   #3
Registered: May 2001
Posts: 28,900
Blog Entries: 55

Rep: Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357
Another way to deny access in SSH, provided your system supports PAM, is to edit /etc/pam.d/sshd and add pam_listfile:
auth required /lib/security/ item=user sense=allow file=/etc/pam.d/acl/allow_ssh onerr=fail
Now list the names of the accounts, one on a line, you want to allow|deny (see "sense") in /etc/pam.d/acl/allow_ssh

FTP uses cleartext passwords and since that ain't secure you could use an Ftp daemon that can use PAM with external, non-system auth, like Vsftpd. Works kinda like the listfile option, the Vsftpd documentation is very clear on how to set it up.
Old 03-11-2004, 03:35 AM   #4
LQ Newbie
Registered: Feb 2004
Posts: 4

Rep: Reputation: 0
Sweet thanks for your help, I wanted to know the same info. I did it by just adding the AllowUsers in /etc/ssh/sshd_config.

Old 03-14-2004, 10:57 AM   #5
Registered: Apr 2003
Distribution: Slackware 9.1
Posts: 36

Original Poster
Rep: Reputation: 15
Thanks for your help guys
Old 03-14-2004, 11:25 PM   #6
Registered: Oct 2003
Distribution: Slackware 12.2, Ubuntu 9.04
Posts: 477

Rep: Reputation: 30
About giving users /bin/false and then not being able to use ftp, proftpd defaults to requiring a valid shell to access the server. So if you just add RequireValidShell off to your proftpd conf file, you would have been set.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftp - Can access FTP within office network BUT cant access via Internet! kokfei77 Red Hat 2 03-07-2012 08:24 PM
only FTP access to user not ssh or telnet farhank Linux - Security 3 10-27-2005 10:30 AM
Web Server denying access. cjkeeme Linux - Networking 4 05-15-2005 05:38 PM
denying pop access remotely slack66 Linux - Security 1 01-28-2004 07:18 PM
limiting users who can gain ftp or ssh access bluefmc427 Linux - Security 1 07-03-2003 05:17 AM

All times are GMT -5. The time now is 05:33 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration