Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-02-2007, 01:07 AM
|
#1
|
Member
Registered: Jan 2007
Posts: 41
Rep:
|
provide restriction to user
hi friends,
i have installed a REDHAT Cent os on my server.
There are few users which have ssh,sftp,telnet login access to this server.now i want to create a new user such that he can only be able to do sftp login to this server and not ssh telnet etc.
Will you please help me in this problem?
|
|
|
03-02-2007, 02:30 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
set his shell to /bin/false or /bin/nologin either directly in /etc/passwd or use the usermod tool. ftp doesn't spawn a user shell, so will still work, but ssh itself will die instantly.
|
|
|
03-02-2007, 04:29 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
Here's another way if your system supports PAM (which it does) using Scponly and PAM_listfile. I use this because it allows for more granular control.
- Install scponly,
- Add scponly to /etc/shells,
- "vipw" and change shell to /usr/bin/scponly.
Now the trick is if you chose Vsftpd as your FTP daemon you already have /etc/pam/d/vsftpd and you already have within that PAM stack file a line "auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed". Basically we'll add similar to any service we want to deny logins for.
- Add user to Vsftpd denied list (sense=deny): "echo $deniedusername >> /etc/vsftpd.ftpusers",
- Make the ACL: "echo $deniedusername > /etc/login.deny" (change $deniedusername),
- Add this line: "auth required pam_listfile.so item=user sense=deny file=/etc/login.deny onerr=succeed" to all services you want to deny user access for like login, ftp, telnet etc, etc. Don't add it to system-auth or you'll block about every access for the user (which is neat too but not the point here).
Now watch your messages/secure logs and test. If you ftp in as the user you should be blocked. If you "ssh user@host 'touch test'" this will fail. If you ssh in as the user you can't get a commandline. Etc, etc.
|
|
|
All times are GMT -5. The time now is 09:07 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|