From owner-freebsd-questions  Thu May 11 21:36:27 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from pollo.monkeybrains.net (rururudy-0.dsl.speakeasy.net [216.231.57.142])
	by hub.freebsd.org (Postfix) with ESMTP id CDB4D37BCA8
	for <freebsd-questions@FreeBSD.ORG>; Thu, 11 May 2000 21:36:13 -0700 (PDT)
	(envelope-from rudy@pollo.monkeybrains.net)
Received: from localhost (rudy@localhost)
	by pollo.monkeybrains.net (8.9.3/8.9.3) with ESMTP id OAA02713
	for <freebsd-questions@FreeBSD.ORG>; Thu, 11 May 2000 14:35:50 -0700 (PDT)
	(envelope-from rudy@pollo.monkeybrains.net)
Date: Thu, 11 May 2000 14:35:50 -0700 (PDT)
From: Rudy Rucker <rudy@pollo.monkeybrains.net>
To: FBSD-Q <freebsd-questions@FreeBSD.ORG>
Subject: Re: NIS map for /etc/login.access
In-Reply-To: <20000511222945.A31266@gforce.johnson.home>
Message-ID: <Pine.BSF.4.21.0005111431250.2711-100000@pollo.monkeybrains.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


You could make the users shell be /bin/ftponly and have 'ftponly' be
something like:

 #!/bin/sh
 echo "Sorry, you are not allowed to FTP to this machine."
 echo "Contact Glenn if you have any questions."

Oh... you will need to add /bin/ftponly to your /etc/shells, unless you
are using something like 'proftpd' which allows you to not check the
/etc/shells file.  I like 'proftpd' because it has the ability to
chroot()... thus, you can hide all the directories except /home from your
users.

Rudy

On Thu, 11 May 2000, Glenn Johnson wrote:

> On Thu, May 11, 2000 at 06:16:36PM -0700, Blake Swensen wrote:
> 
> > I have a need to prevent certain clients, who need FTP access, from
> > telneting into the machines on my network.
> >
> > I have been using /etc/login.access to prohibit those users, but it is
> > a hassle to add an entry in every machine on the network.
> >
> > Have also tried to add those users to a NIS'ed group and added the
> > @groupname to login.access. Login.access must only look at the user's
> > GID, not the group file, or the NIS map for group.
> >
> > Is there a method for NIS'ifying the login.access file or a better
> > method to allow ftp access but not shell access.
> 
> You could use rdist to distribute the login.access file. It is part of
> the base FreeBSD system although I have found the rdist6 port to be more
> useful as I can use ssh for communication between hosts with it.
> 
> -- 
> Glenn Johnson
> glennpj@bayouhome.net
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message