Date: Wed, 20 Aug 2003 14:18:21 -0400 From: "Troy Settle" <troy@psknet.com> To: "'Blake Swensen'" <blake@pyramus.com> Cc: 'FreeBSD ISP List' <freebsd-isp@FreeBSD.ORG> Subject: RE: Best methods for preventing SSH allowing FTP Message-ID: <E19pXXJ-0004HL-8j@psknet.com> In-Reply-To: <8010538263.20030820200924@blue.calx.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Once upon a time, I used /usr/bin/passwd as the shell (users could telnet/ftp in to change their passwords). I then started using /usr/bin/false. I now use /sbin/nologin. On my primary mail and ftp machines, I no longer use the system passwd facility to manage user accounts, it's all in a MySQL database, which my billing software manages directly using ODBC. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 Pulaski Chamber 2002 Small Business Of The Year > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Walter Hop > Sent: Wednesday, August 20, 2003 2:09 PM > To: Blake Swensen > Cc: FreeBSD ISP List > Subject: Re: Best methods for preventing SSH allowing FTP > > [in reply to blake@pyramus.com, 20-8-2003] > > > Anyone have suggestions for the best methods for locking an > account so > > that a user or a group can only ftp/POP/IMAP and prevent all other > > access. > > We make use of two special shells to limit access and make it > more clear > what an account is used for. These are just shell scripts: > > /usr/local/bin/ftponly > /usr/local/bin/mailonly > > They just contain something like this: > > #!/bin/sh > echo "No SSH login allowed." > exit 1 > > For FTP accounts, we set the user's shell to /usr/local/bin/ftponly. > The FTP daemon by default checks if the shell is in > /etc/shells so we have > added the ftponly shellscript to /etc/shells. When people > would SSH in, > they'd get the "No SSH login allowed" message. > > For mail accounts, we set the user's shell to /usr/local/bin/mailonly. > We have not added this shell to /etc/shells, so FTP and SSH login are > disallowed while our mailserver (uw-imap and pop3) does not care about > this. The 'mailonly' shell is never executed, it is just there to make > administration easier. > > cheers, > walter > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E19pXXJ-0004HL-8j>