On Sat, Mar 25, 2000 at 05:46:00PM +1100, Damon Muller wrote: > Quoth Percival, > > I want to have easy freedom in limiting user access. I have killed > > telnetd, and only sshd. I want to allow some users access through > > ssh, some through ftpd, and some through samba. How can I turn off > > user access through ssh, but keep their account, and allow them access > > through ftp? Can I allow users access to shares through samba, and > > allow them to ftp in, but not ssh or telnet? > > This doesn't really address the issue of keeping communications secure, > and isn't an answer to all of your problems, but... > > One way you can disallow SSH but allow FTP for a user is to change their > login shell to something like /bin/false, and set /bin/false as a valid > login shell in /etc/shells. This will allow them to SSH in, but won't > actually let them have an interactive shell (ie., they'll be bounced > back out as soon as they have authenticated). Most FTP clients will only > allow FTP logins if the user has a valid shell listed in /etc/shells, so > FTP will still let them in if /bin/false is in /etc/shells.
i would recommend using /bin/true for this purpose rather then /bin/false. /bin/false is used on all the system accounts that should not have an interactive user or ever be logged into. so i prefer to keep /bin/false OUT of /etc/shells. another option is falselogin which prints out a message before booting them off (which you can configure). -- Ethan Benson http://www.alaska.net/~erbenson/
pgpCJZ9Pskubj.pgp
Description: PGP signature
