From owner-freebsd-isp@FreeBSD.ORG Wed Aug 20 13:32:57 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A046016A4BF for ; Wed, 20 Aug 2003 13:32:57 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52DD143F93 for ; Wed, 20 Aug 2003 13:32:56 -0700 (PDT) (envelope-from scott@g-it.ca) Received: from [192.168.0.106] (hsdbsk142-165-254-119.sasknet.sk.ca [142.165.254.119]) by blue.gerhardt-it.com (Postfix) with ESMTP id 0A87DFDC9; Wed, 20 Aug 2003 14:32:51 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Wed, 20 Aug 2003 14:32:49 -0600 From: Scott Gerhardt To: Walter Hop , Blake Swensen Message-ID: In-Reply-To: <8010538263.20030820200924@blue.calx.nl> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: FreeBSD ISP List Subject: Re: Best methods for preventing SSH allowing FTP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 20:32:57 -0000 What about using /sbin/nologin and /etc/login.access with the following entry (or similar): -:ALL EXCEPT wheel:console -:ALL EXCEPT wheel:ALL This will deny shell access to all but wheel. Of course, you can add other groups to make security more granular. The login.access provide a little more security if you forget to set a "nologin" shell for an user. Cheers, -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] On 8/20/03 12:09 PM, "Walter Hop" wrote: > [in reply to blake@pyramus.com, 20-8-2003] > >> Anyone have suggestions for the best methods for locking an account so >> that a user or a group can only ftp/POP/IMAP and prevent all other >> access. > > We make use of two special shells to limit access and make it more clear > what an account is used for. These are just shell scripts: > > /usr/local/bin/ftponly > /usr/local/bin/mailonly > > They just contain something like this: > > #!/bin/sh > echo "No SSH login allowed." > exit 1 > > For FTP accounts, we set the user's shell to /usr/local/bin/ftponly. > The FTP daemon by default checks if the shell is in /etc/shells so we have > added the ftponly shellscript to /etc/shells. When people would SSH in, > they'd get the "No SSH login allowed" message. > > For mail accounts, we set the user's shell to /usr/local/bin/mailonly. > We have not added this shell to /etc/shells, so FTP and SSH login are > disallowed while our mailserver (uw-imap and pop3) does not care about > this. The 'mailonly' shell is never executed, it is just there to make > administration easier. > > cheers, > walter > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT]