On Fri, 9 Jul 1999, Pollywog wrote:
> On 09-Jul-99 Carl Mummert wrote:
> >
> > Why not just set their shell to /bin/false or some such.
> >
> > That prevents login access, and should prevent ftp access
> > (you have to check - try man ftpd ). But it allows pop
> > access, and imap access.
>
> Does setting the shell to /bin/false prevent ftp access? Anonymous and
> for users with accounts too? Seems I recall it does not prevent ftp
> for users with accounts on the system.
It depends on the ftp daemon. For example, Proftpd has a configuration
option (quote from the manual):
RequireValidShell
Syntax: RequireValidShell on|off
Default: RequireValidShell on
Context: server config, <VirtualHost>, <Anonymous>, <Global>
Compatibility: 0.99.0 and later
The RequireValidShell directive configures the server, virtual host
or anonymous login to allow or deny logins which do not have a shell
binary listed in /etc/shells. By defualt, proftpd disallows logins if
the user's default shell is not listed in /etc/shells. If /etc/shells
cannot be found, all default shells are assumed to be valid.
So, by default or with "RequireValidShell on" in the proper section of the
config file, users with a shell /bin/false would be denied login (unless
/bin/false is in /etc/shells). "man 5 shells" for more info on the
/etc/shells file.
