Limit user via SSH (AllowedUser) but how NOT to affect vsftpd?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
vsftpd is an ftp server, sftp is a subsystem within ssh to provide ftp like functionality, but it is not FTP. you appear to be thinking there is some form of connection between them when there is none.
no, sftp and ssh are extremely closely connected, as sftp is a sub part of ssh. can you give a real life justification as to why you would wish to prevent sftp access to specific users in favour of ssh only? i can't see a reason for this myself.
well ftp itself is subject to the restrcitions that that ftp sevrer can provide. couldn't really comment on the details, but then as ftp doesn't have a shell component, i'm not sure what you're asking about ftp.
I think I understand what the OP is getting at. You want some users to have shell access, but you don't want them to be able to use unencrypted FTP because that would make it potentially possible for someone to get their password and then gain shell access. However, for other users you want them to be able to use FTP, but you don't want them to have shell access.
If I've understood what you want to do correctly, you need to set AllowUsers for the users with shell access. As other people have already pointed out, these users will still have sftp access, and there's nothing you can do about that. Apart from anything else, they could always log into your server, and then sftp out, back to their own box, so even if disabling sftp was possible, with shell access it wouldn't really prevent anything.
You then need to configure your FTP server for the non-shell users, which will depend on which server program you're running. For vsftpd, you need to set two variables in /etc/vsftpd.conf: userlist_enable=YES and userlist_deny=NO. These options mean that access to the FTP server is restricted to a specified list of users, and that anyone who is not in the list will be blocked from access. The list of users goes in the file /etc/vsftpd.user_list, one username per line. If these are local users rather than virtual users, you'll also need the option local_enable=YES in /etc/vsftpd.conf.
Incidentally, you can also set vsftpd to use TLS encryption, but not all clients support it. I've not tried setting that up myself, so can't advise on it. The vsftpd documentation on their website is pretty good though, just have a look there.
I just skimmed the thread, and I didn't notice anyone stating the solution for allowing sftp access without allowing ssh shell access. The solution for that direction, at least, is "rssh". Basically, rssh is a restricted shell designed to allow the minimum commands necessary to use sftp and/or scp. By default, it allows NOTHING. In order to use it, you install rssh and then edit /etc/passwd to make the shell of any restricted user "/bin/rssh/" (or wherever exactly rssh installs).
You can configure rssh to allow sftp and/or scp access, but you don't need to if all you care about is allowing standard ftp access (which has nothing to do with the ssh protocol).
So, there's no "list" of users restricted to ftp access, but rather you manually edit the /etc/passwd file to change the shell for restricted users from bash to rssh. You can test to make sure it's working by using "su <username>" to login as that user. If it's working, then you'll see a brief login message saying that the shell is "rssh" and then the login disconnects.