From owner-freebsd-isp@FreeBSD.ORG  Wed Aug 20 11:08:50 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 27A5316A4BF
	for <freebsd-isp@FreeBSD.ORG>; Wed, 20 Aug 2003 11:08:50 -0700 (PDT)
Received: from relay.transip.nl (relay.transip.nl [80.69.66.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB8B43FE0
	for <freebsd-isp@FreeBSD.ORG>; Wed, 20 Aug 2003 11:08:49 -0700 (PDT)
	(envelope-from freebsd@walter.transip.nl)
Received: from blue.calx.nl (tunnel120.ipv6.xs4all.nl [2001:888:10:78::2])
	by relay.transip.nl (Postfix) with ESMTP
	id 6E46E26D; Wed, 20 Aug 2003 20:08:46 +0200 (CEST)
Received: from kai.calx.nl (kai.calx.nl [172.23.7.10])
	by blue.calx.nl (Postfix) with ESMTP
	id C2730A931; Wed, 20 Aug 2003 20:08:46 +0200 (CEST)
Date: Wed, 20 Aug 2003 20:09:24 +0200
From: Walter Hop <freebsd@walter.transip.nl>
X-Mailer: The Bat! (v1.62r) Educational
X-Priority: 3 (Normal)
Message-ID: <8010538263.20030820200924@blue.calx.nl>
To: Blake Swensen <blake@pyramus.com>
In-Reply-To: <3F439250.6010408@pyramus.com>
References: <3F439250.6010408@pyramus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: FreeBSD ISP List <freebsd-isp@FreeBSD.ORG>
Subject: Re: Best methods for preventing SSH allowing FTP
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2003 18:08:50 -0000

[in reply to blake@pyramus.com, 20-8-2003]

> Anyone have suggestions for the best methods for locking an account so
> that a user or a group can only ftp/POP/IMAP and prevent all other
> access.

We make use of two special shells to limit access and make it more clear
what an account is used for. These are just shell scripts:

/usr/local/bin/ftponly
/usr/local/bin/mailonly

They just contain something like this:

    #!/bin/sh
    echo "No SSH login allowed."
    exit 1

For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
The FTP daemon by default checks if the shell is in /etc/shells so we have
added the ftponly shellscript to /etc/shells. When people would SSH in,
they'd get the "No SSH login allowed" message.

For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
We have not added this shell to /etc/shells, so FTP and SSH login are
disallowed while our mailserver (uw-imap and pop3) does not care about
this. The 'mailonly' shell is never executed, it is just there to make
administration easier.

cheers,
walter