LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-02-2007, 01:07 AM   #1
pankajkarde
Member
 
Registered: Jan 2007
Posts: 41

Rep: Reputation: 15
Question provide restriction to user


hi friends,
i have installed a REDHAT Cent os on my server.
There are few users which have ssh,sftp,telnet login access to this server.now i want to create a new user such that he can only be able to do sftp login to this server and not ssh telnet etc.
Will you please help me in this problem?
 
Old 03-02-2007, 02:30 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
set his shell to /bin/false or /bin/nologin either directly in /etc/passwd or use the usermod tool. ftp doesn't spawn a user shell, so will still work, but ssh itself will die instantly.
 
Old 03-02-2007, 04:29 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Here's another way if your system supports PAM (which it does) using Scponly and PAM_listfile. I use this because it allows for more granular control.
- Install scponly,
- Add scponly to /etc/shells,
- "vipw" and change shell to /usr/bin/scponly.

Now the trick is if you chose Vsftpd as your FTP daemon you already have /etc/pam/d/vsftpd and you already have within that PAM stack file a line "auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed". Basically we'll add similar to any service we want to deny logins for.

- Add user to Vsftpd denied list (sense=deny): "echo $deniedusername >> /etc/vsftpd.ftpusers",
- Make the ACL: "echo $deniedusername > /etc/login.deny" (change $deniedusername),
- Add this line: "auth required pam_listfile.so item=user sense=deny file=/etc/login.deny onerr=succeed" to all services you want to deny user access for like login, ftp, telnet etc, etc. Don't add it to system-auth or you'll block about every access for the user (which is neat too but not the point here).

Now watch your messages/secure logs and test. If you ftp in as the user you should be blocked. If you "ssh user@host 'touch test'" this will fail. If you ssh in as the user you can't get a commandline. Etc, etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid User Restriction ajkannan83 Linux - Software 2 06-29-2006 04:41 AM
User account restriction br.man Linux - Newbie 2 04-21-2005 10:58 PM
User restriction on SSH RKris Linux - Software 5 06-22-2003 11:38 AM
Restriction on user logins klmn1 Linux - Networking 2 05-26-2003 05:40 AM
Squid user restriction andresurzagasti Linux - Networking 1 02-01-2003 08:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration