Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-15-2007, 03:03 AM
|
#1
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Rep:
|
Limit user via SSH (AllowedUser) but how NOT to affect vsftpd?
Hi guys
I have a FTP server which I have limit its ssh access to only a certain group of users..
but i have a whole chunk of users that are using it for ftp.. and via sftp. but that don't work once i set a limit for AllowedUser in SSHD_CONFIG
is there any known way around this?
thanks!
|
|
|
06-15-2007, 03:25 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
vsftpd is an ftp server, sftp is a subsystem within ssh to provide ftp like functionality, but it is not FTP. you appear to be thinking there is some form of connection between them when there is none.
|
|
|
06-15-2007, 06:08 AM
|
#3
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
so ssh is offering the sftp as a add-on kind of thing..
so if i limit users to access via ssh... i will limit everything under it?
|
|
|
06-15-2007, 06:13 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
yes, sshd_config covers sftp too. note that replacing vsftp with sftp isn't a straight swap, as sftp is *NOT* the ftp protocol, it just mimmicks it.
|
|
|
06-18-2007, 06:28 AM
|
#5
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
so if i have 5 user accounts on the server, and i want to limit ssh access to only 1 account, but for ftp i want to allow all
i can't do it?
|
|
|
06-18-2007, 07:15 AM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
there is a special shell you can give to a user account, scponly which means they can only use sftp / scp over ssh, not ssh itself.... http://sublimation.org/scponly/wiki/index.php/Main_Page
|
|
|
06-18-2007, 10:13 PM
|
#7
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
hmm if that's the case... is it possible to have a separate set of users allowed only for SSH, and another only for FTP?
|
|
|
06-19-2007, 02:38 AM
|
#8
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
i've not seen it in that other direction of only allowing shell. shell is always more priveledged, so wouldn't provide a benefit in only allowing that.
|
|
|
06-25-2007, 03:19 AM
|
#9
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
hmmm.. as this is a FTP server.. the usage is more unorthodox..
i would like to create a few fix accounts for SSH only (but not allowed FTP)
and some other accounts for FTP only, but not SSH (that is obtainable via sshd_config under AllowedUsers..)
so the SSH-only way can't work if ftp service is running?
no way to get service to rely on different set of user databases or something like that?
thanks!
|
|
|
06-25-2007, 03:51 AM
|
#10
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
no, sftp and ssh are extremely closely connected, as sftp is a sub part of ssh. can you give a real life justification as to why you would wish to prevent sftp access to specific users in favour of ssh only? i can't see a reason for this myself.
|
|
|
06-25-2007, 05:24 AM
|
#11
|
Member
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508
Original Poster
Rep:
|
different users with different roles? I am just toying with my ftp server
what about FTP (not sFTP)?
|
|
|
06-25-2007, 05:30 AM
|
#12
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well ftp itself is subject to the restrcitions that that ftp sevrer can provide. couldn't really comment on the details, but then as ftp doesn't have a shell component, i'm not sure what you're asking about ftp.
|
|
|
06-25-2007, 06:28 AM
|
#13
|
Member
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900
Rep:
|
I think I understand what the OP is getting at. You want some users to have shell access, but you don't want them to be able to use unencrypted FTP because that would make it potentially possible for someone to get their password and then gain shell access. However, for other users you want them to be able to use FTP, but you don't want them to have shell access.
If I've understood what you want to do correctly, you need to set AllowUsers for the users with shell access. As other people have already pointed out, these users will still have sftp access, and there's nothing you can do about that. Apart from anything else, they could always log into your server, and then sftp out, back to their own box, so even if disabling sftp was possible, with shell access it wouldn't really prevent anything.
You then need to configure your FTP server for the non-shell users, which will depend on which server program you're running. For vsftpd, you need to set two variables in /etc/vsftpd.conf: userlist_enable=YES and userlist_deny=NO. These options mean that access to the FTP server is restricted to a specified list of users, and that anyone who is not in the list will be blocked from access. The list of users goes in the file /etc/vsftpd.user_list, one username per line. If these are local users rather than virtual users, you'll also need the option local_enable=YES in /etc/vsftpd.conf.
Incidentally, you can also set vsftpd to use TLS encryption, but not all clients support it. I've not tried setting that up myself, so can't advise on it. The vsftpd documentation on their website is pretty good though, just have a look there.
|
|
|
06-25-2007, 10:33 AM
|
#14
|
Senior Member
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546
|
I just skimmed the thread, and I didn't notice anyone stating the solution for allowing sftp access without allowing ssh shell access. The solution for that direction, at least, is "rssh". Basically, rssh is a restricted shell designed to allow the minimum commands necessary to use sftp and/or scp. By default, it allows NOTHING. In order to use it, you install rssh and then edit /etc/passwd to make the shell of any restricted user "/bin/rssh/" (or wherever exactly rssh installs).
You can configure rssh to allow sftp and/or scp access, but you don't need to if all you care about is allowing standard ftp access (which has nothing to do with the ssh protocol).
So, there's no "list" of users restricted to ftp access, but rather you manually edit the /etc/passwd file to change the shell for restricted users from bash to rssh. You can test to make sure it's working by using "su <username>" to login as that user. If it's working, then you'll see a brief login message saying that the shell is "rssh" and then the login disconnects.
|
|
|
All times are GMT -5. The time now is 10:17 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|