Date: Wed, 20 Aug 2003 20:09:24 +0200 From: Walter Hop <freebsd@walter.transip.nl> To: Blake Swensen <blake@pyramus.com> Cc: FreeBSD ISP List <freebsd-isp@FreeBSD.ORG> Subject: Re: Best methods for preventing SSH allowing FTP Message-ID: <8010538263.20030820200924@blue.calx.nl> In-Reply-To: <3F439250.6010408@pyramus.com>
index | next in thread | previous in thread | raw e-mail
[in reply to blake@pyramus.com, 20-8-2003]
> Anyone have suggestions for the best methods for locking an account so
> that a user or a group can only ftp/POP/IMAP and prevent all other
> access.
We make use of two special shells to limit access and make it more clear
what an account is used for. These are just shell scripts:
/usr/local/bin/ftponly
/usr/local/bin/mailonly
They just contain something like this:
#!/bin/sh
echo "No SSH login allowed."
exit 1
For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
The FTP daemon by default checks if the shell is in /etc/shells so we have
added the ftponly shellscript to /etc/shells. When people would SSH in,
they'd get the "No SSH login allowed" message.
For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
We have not added this shell to /etc/shells, so FTP and SSH login are
disallowed while our mailserver (uw-imap and pop3) does not care about
this. The 'mailonly' shell is never executed, it is just there to make
administration easier.
cheers,
walter
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8010538263.20030820200924>