LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-15-2007, 03:03 AM   #1
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Rep: Reputation: 30
Limit user via SSH (AllowedUser) but how NOT to affect vsftpd?


Hi guys

I have a FTP server which I have limit its ssh access to only a certain group of users..

but i have a whole chunk of users that are using it for ftp.. and via sftp. but that don't work once i set a limit for AllowedUser in SSHD_CONFIG

is there any known way around this?

thanks!
 
Old 06-15-2007, 03:25 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
vsftpd is an ftp server, sftp is a subsystem within ssh to provide ftp like functionality, but it is not FTP. you appear to be thinking there is some form of connection between them when there is none.
 
Old 06-15-2007, 06:08 AM   #3
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
so ssh is offering the sftp as a add-on kind of thing..

so if i limit users to access via ssh... i will limit everything under it?
 
Old 06-15-2007, 06:13 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
yes, sshd_config covers sftp too. note that replacing vsftp with sftp isn't a straight swap, as sftp is *NOT* the ftp protocol, it just mimmicks it.
 
Old 06-18-2007, 06:28 AM   #5
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
so if i have 5 user accounts on the server, and i want to limit ssh access to only 1 account, but for ftp i want to allow all

i can't do it?
 
Old 06-18-2007, 07:15 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
there is a special shell you can give to a user account, scponly which means they can only use sftp / scp over ssh, not ssh itself.... http://sublimation.org/scponly/wiki/index.php/Main_Page
 
Old 06-18-2007, 10:13 PM   #7
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
hmm if that's the case... is it possible to have a separate set of users allowed only for SSH, and another only for FTP?
 
Old 06-19-2007, 02:38 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
i've not seen it in that other direction of only allowing shell. shell is always more priveledged, so wouldn't provide a benefit in only allowing that.
 
Old 06-25-2007, 03:19 AM   #9
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
hmmm.. as this is a FTP server.. the usage is more unorthodox..

i would like to create a few fix accounts for SSH only (but not allowed FTP)

and some other accounts for FTP only, but not SSH (that is obtainable via sshd_config under AllowedUsers..)

so the SSH-only way can't work if ftp service is running?
no way to get service to rely on different set of user databases or something like that?

thanks!
 
Old 06-25-2007, 03:51 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
no, sftp and ssh are extremely closely connected, as sftp is a sub part of ssh. can you give a real life justification as to why you would wish to prevent sftp access to specific users in favour of ssh only? i can't see a reason for this myself.
 
Old 06-25-2007, 05:24 AM   #11
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
different users with different roles? I am just toying with my ftp server

what about FTP (not sFTP)?
 
Old 06-25-2007, 05:30 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well ftp itself is subject to the restrcitions that that ftp sevrer can provide. couldn't really comment on the details, but then as ftp doesn't have a shell component, i'm not sure what you're asking about ftp.
 
Old 06-25-2007, 06:28 AM   #13
Gethyn
Member
 
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900

Rep: Reputation: 32
I think I understand what the OP is getting at. You want some users to have shell access, but you don't want them to be able to use unencrypted FTP because that would make it potentially possible for someone to get their password and then gain shell access. However, for other users you want them to be able to use FTP, but you don't want them to have shell access.

If I've understood what you want to do correctly, you need to set AllowUsers for the users with shell access. As other people have already pointed out, these users will still have sftp access, and there's nothing you can do about that. Apart from anything else, they could always log into your server, and then sftp out, back to their own box, so even if disabling sftp was possible, with shell access it wouldn't really prevent anything.

You then need to configure your FTP server for the non-shell users, which will depend on which server program you're running. For vsftpd, you need to set two variables in /etc/vsftpd.conf: userlist_enable=YES and userlist_deny=NO. These options mean that access to the FTP server is restricted to a specified list of users, and that anyone who is not in the list will be blocked from access. The list of users goes in the file /etc/vsftpd.user_list, one username per line. If these are local users rather than virtual users, you'll also need the option local_enable=YES in /etc/vsftpd.conf.

Incidentally, you can also set vsftpd to use TLS encryption, but not all clients support it. I've not tried setting that up myself, so can't advise on it. The vsftpd documentation on their website is pretty good though, just have a look there.
 
Old 06-25-2007, 10:33 AM   #14
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian Stable
Posts: 2,546
Blog Entries: 8

Rep: Reputation: 465Reputation: 465Reputation: 465Reputation: 465Reputation: 465
I just skimmed the thread, and I didn't notice anyone stating the solution for allowing sftp access without allowing ssh shell access. The solution for that direction, at least, is "rssh". Basically, rssh is a restricted shell designed to allow the minimum commands necessary to use sftp and/or scp. By default, it allows NOTHING. In order to use it, you install rssh and then edit /etc/passwd to make the shell of any restricted user "/bin/rssh/" (or wherever exactly rssh installs).

You can configure rssh to allow sftp and/or scp access, but you don't need to if all you care about is allowing standard ftp access (which has nothing to do with the ssh protocol).

So, there's no "list" of users restricted to ftp access, but rather you manually edit the /etc/passwd file to change the shell for restricted users from bash to rssh. You can test to make sure it's working by using "su <username>" to login as that user. If it's working, then you'll see a brief login message saying that the shell is "rssh" and then the login disconnects.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD:How to have vsftpd ask for anon user to "send email for password"? dmurray8888 Linux - Networking 1 08-31-2008 07:04 PM
ssh limit setting tuxhats Linux - Networking 4 07-18-2006 03:42 PM
Changing Oracle user password will affect oracle db? sathyguy Linux - Newbie 1 02-11-2006 07:34 PM
vsftpd - limit user to his/her home directory kaon Linux - Software 0 01-15-2005 01:32 AM
vsftpd upload limit juergenH Linux - Networking 1 11-17-2003 05:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration