[SOLVED] Need user account which can connect by ssh but not login locally nor run shell
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need user account which can connect by ssh but not login locally nor run shell
I wish to create a user account on my server which will be used ONLY to transfer files to/from the server over ssh. I do not want the account to be able to login at the console of the server, nor to be able to invoke a shell once it is connect to the server over ssh.
I think I recall being able to do this on HPUX (well actually I requested the account to be setup and the Unix admin created it and turned it over to me). I have no idea how this was done. Can anyone point me in the right direction? I am running Ubuntu 10.04 on the server if that matters.
AFAIK that can not be done with pure ssh - ssh is "secure shell", you login to a shell on a remote computer with it.
What you are after is probably sftp, to the user it behaves just like ftp but transfer is with ssh - at least this is how I understand the docs, never used it just read about it so please don't shoot me if I'm wrong! ;-)
Thanks pingu, my bad. I am connecting with gnome-commander which has the choice "ssh" but which actually connects with "sftp". No shell is involved in the connection. On the other hand gnome-commander stores the password used for the connection in plain text and the "use gnome keyring" in gnome-commander does not work so my work around for the moment is to use a do very little account to make the connection.
I really need to rethink the whole approach to connecting from my PC to the server for the purpose of moving files. I could use nfs but it is not very secure (although I am on a private LAN and the risks are minimal). I can connect using nautilus but although the mount shows up on the desktop (Ubuntu 10.04) is not available to gnome-commander which is my preferred file mover. I could use Samba but that is such a Windoze thing
There are two ways that you can do this (as far as I know).
You can setup a ftp server with virtual users; that's the way I'm not familiar with. And you can setup a ftp server with normal users and don't allow login using a shell by setting the shell to /bin/false (or something like that; check your system). If the latter option still allows ssh access (I don't think it will but I'm not sure), you can block users in the sshd configuration).
Configure the ftp server to use ftps for secure transfers.
I set the shell to /bin/false and my dummy account cannot connect over ssh as expected. It also cannot connect by ssh or sftp or whatever gnome commander uses for its connection. So I guess I am on to plan B or C or perhaps I will explore Secure NFS which I think is related to Kerberos which I also need to explore.
@taylorkh: Is this question about CentOS 5 on the server side? (I saw an Ubuntu reference, but you appeared to be talking about your desktop.) If CentOS 5, this is an easy enough problem to solve. Read the full instructions here: http://www.linuxquestions.org/questi...on-rhel5-3495/
I set the shell to /bin/false and my dummy account cannot connect over ssh as expected. It also cannot connect by ssh or sftp or whatever gnome commander uses for its connection. So I guess I am on to plan B or C or perhaps I will explore Secure NFS which I think is related to Kerberos which I also need to explore.
Ken
With the solution that I mention, I was talking about a ftp server and ftps (not sftp). But other solutions might be better.
if your concern is having a password in plain text, I would recommend using a key instead, (which is more secure anyway). See https://help.ubuntu.com/community/SSH/OpenSSH/Keys. Then you should be able to use sftp without having to use, or store a password.
Thanks as always unSpawn for answering the question! The products you mention look like they should do what I asked for. However, I am afraid my question was avoiding the root cause (pardon the pun) of my issue. The issue is that gnome-commander, my favorite file manager interface, saves passwords for remote connections in plain text in ~/gnome-commander/connections. If I try the "use gnome keyring" option in gnome-commander it does not do so and crashes about 9 out of 10 times. I have setup a dummy account with few privileges which I can use to connect to another machine. But that presents me with file permission issues. If I, ken, download a file on my low power consumption netbook and want to move it to my desktop PC I can connect as the dummy account and copy the file. However, the dummy account does not have write permissions to the file. The permissions created by ken are "-rw-r--r-- 1 ken ken" So unless I change my umask to 002 I cannot share write permission to the files in question. I believe I need to sit back and think this through a little more.
Thanks flamelord. That might be what I need. However, I am not sure how gnome-commander will interface with it. See the above paragraph. gnome-commander is the underlying cause of the issue. I have tried several other similar tools but despite its warts, gnome-commander is closest to what I want (although I just installed Krusader and it may have possibilities).
I think what I really need to do is to establish secure connections from the PC to the other machines (sort of like making an NFS mount) and then just access the mounted locations in gnome-commander and not worry about gnome-commander doing the connection. If your suggestion can do something like that it may solve the problem. I also have some information about using NFS over an ssh tunnel but I have not tried configuring such a thing yet.
I have resolved the root (pardon the pun) cause of this fiasco. I have gotten gnome-commander to work with the Gnome Keyring and I can connect with my normal account and privileges. I do not need the dummy account. I am dummy enough
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.