Date: Wed, 20 Aug 2003 20:09:24 +0200 From: Walter Hop <freebsd@walter.transip.nl> To: Blake Swensen <blake@pyramus.com> Cc: FreeBSD ISP List <freebsd-isp@FreeBSD.ORG> Subject: Re: Best methods for preventing SSH allowing FTP Message-ID: <8010538263.20030820200924@blue.calx.nl> In-Reply-To: <3F439250.6010408@pyramus.com> References: <3F439250.6010408@pyramus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[in reply to blake@pyramus.com, 20-8-2003]
> Anyone have suggestions for the best methods for locking an account so
> that a user or a group can only ftp/POP/IMAP and prevent all other
> access.
We make use of two special shells to limit access and make it more clear
what an account is used for. These are just shell scripts:
/usr/local/bin/ftponly
/usr/local/bin/mailonly
They just contain something like this:
#!/bin/sh
echo "No SSH login allowed."
exit 1
For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
The FTP daemon by default checks if the shell is in /etc/shells so we have
added the ftponly shellscript to /etc/shells. When people would SSH in,
they'd get the "No SSH login allowed" message.
For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
We have not added this shell to /etc/shells, so FTP and SSH login are
disallowed while our mailserver (uw-imap and pop3) does not care about
this. The 'mailonly' shell is never executed, it is just there to make
administration easier.
cheers,
walter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8010538263.20030820200924>