From owner-freebsd-isp@FreeBSD.ORG Wed Aug 20 09:13:43 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0412C16A4BF for ; Wed, 20 Aug 2003 09:13:43 -0700 (PDT) Received: from ll.mit.edu (LLMAIL.LL.MIT.EDU [129.55.12.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13A0843FA3 for ; Wed, 20 Aug 2003 09:13:42 -0700 (PDT) (envelope-from daubman@ll.mit.edu) Received: (from smtp@localhost) by ll.mit.edu (8.12.9/8.8.8) id h7KGDd0X023180 for ; Wed, 20 Aug 2003 12:13:39 -0400 (EDT) Received: from ad-win1.llan.ll.mit.edu( ), claiming to be "ll.mit.edu" via SMTP by llpost, id smtpdAAAy3ayvO; Wed Aug 20 12:12:35 2003 Message-ID: <3F439DF2.5020609@ll.mit.edu> Date: Wed, 20 Aug 2003 12:12:34 -0400 From: Aaron Daubman Organization: MIT Lincoln Laboratory User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD ISP List References: <3F439250.6010408@pyramus.com> <3F4394EC.10609@wtconnect.com> In-Reply-To: <3F4394EC.10609@wtconnect.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Best methods for preventing SSH allowing FTP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 16:13:43 -0000 Just be careful of certain FTP programs if you take this approach. For ProFTPD, you would then need to set 'RequireValidShell off' in the conf file. The method I use is a combination of this and others. It might be worthwhile to re-think this, as it can become a management nightmare for large systems. It's worked fine for me so far, however. Using group membership: SSH: AllowGroups allowssh DenyGroups denyssh ProFTPD (others might use /etc/ftpusers): DenyGroup denyftp Shell: /sbin/nologin Mail: Everybody currently gets mail, but that could easily be changed by moving to the sasl pw db instead of implementing PAM... This gives the granularity of explicitly defining which groups of users get access to what services... ..I'm sure I'm forgetting other settings, but that should give you a good idea of the options available. Most programs have built-in group as well as user permissions =) Cheers, ~Aaron Scott Blaydes wrote: > Blake Swensen wrote: > >> Anyone have suggestions for the best methods for locking an account so >> that a user or a group can only ftp/POP/IMAP and prevent all other >> access. >> >> Blake > > > Give them a shell of /bin/false. You will need to actually create a > file called /bin/false, and add it to /etc/shells. That will allow > ftp/pop/imap and not allow them to log in via telnet/ssh. > > Scott Blaydes > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >