Date: Wed, 21 Mar 2001 16:12:49 -0500 From: Raoul Schroeder <memphis_ms@gmx.net> To: SF <lists@stevenfettig.com> Cc: Freebsd-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Users for Daemons - not logging in - how? Message-ID: <3AB91950.805D0FC2@gmx.net> References: <LOBBKFILCMGGNDCBBCELIEJJDOAA.lists@stevenfettig.com>
next in thread | previous in thread | raw e-mail | index | archive | help
SSHD allows to specify AllowUsers in the config file /etc/ssh/sshd_config Everyone who is not in there cannot log on. If that option is not specified, everyone is allowed to log on. In my opinion though, a user who controls a daemon should have a star-ed out password anyway... If you do not want those users to be able to log on AT ALL, then give them /sbin/nologin as a shell. qmails /nonexistant is not 100% FreeBSD norm, IIRC. SF wrote: > I'm trying to set up users for running specific service daemons, but I don't > want someone to be able to use that user to log into the machine via ssh > (which is the only way to log into the machine remotely) or the console. I > searched through the mail list and couldn't find the answer, but apologize > if this has been asked before. Would I be correct in doing something > similar to what one does when installing qmail? I.e.: > > pw groupadd daemongrp > pw useradd daemon1 -g daemongrp -d /var/daemondir -s /nonexistent > > &tc... > > I guess I'm looking for a fairly secure way of adding groups and users that > won't open me up to possible attacks. Any suggestions are welcome. > > TIA, > SF > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB91950.805D0FC2>