Per user: Restricting Telnet but allowing FTP

Per user: Restricting Telnet but allowing FTP

Post by Brian Kuscha » Wed, 14 Jul 1999 04:00:00



Hello,

I'd like to be able to allow certain users or groups to have access to
FTP, but not allow them to login via telnet.

I've tried disallowing access in /etc/security/access.conf like this
-:username:ALL     (It is the first in the list)

But this seems to have no effect.  Why?

Would a restricted shell be the way to go, just restrict everything?
Or is there another file that I should use, something like /etc/ftpusers
but for telnet.

Any help would be appreciated.
Thanks,
Brian

PS using RH 5.2

 
 
 

Per user: Restricting Telnet but allowing FTP

Post by rand » Wed, 14 Jul 1999 04:00:00


make an entry in /etc/passwd for that user after the last colon ':'
something like '/bin/false'
then in /etc/shells add the line '/bin/false'

> Hello,

> I'd like to be able to allow certain users or groups to have access to
> FTP, but not allow them to login via telnet.

> I've tried disallowing access in /etc/security/access.conf like this
> -:username:ALL     (It is the first in the list)

> But this seems to have no effect.  Why?

> Would a restricted shell be the way to go, just restrict everything?
> Or is there another file that I should use, something like /etc/ftpusers
> but for telnet.

> Any help would be appreciated.
> Thanks,
> Brian

> PS using RH 5.2


 
 
 

Per user: Restricting Telnet but allowing FTP

Post by Brian Kuscha » Wed, 14 Jul 1999 04:00:00


Thanks!
I had tried adding this to the /etc/passwd file before, but I didn't
know about the /etc/shells file.

Is the /etc/security/access.conf file not used, then?

Brian


> make an entry in /etc/passwd for that user after the last colon ':'
> something like '/bin/false'
> then in /etc/shells add the line '/bin/false'


> > Hello,

> > I'd like to be able to allow certain users or groups to have access to
> > FTP, but not allow them to login via telnet.

> > I've tried disallowing access in /etc/security/access.conf like this
> > -:username:ALL     (It is the first in the list)

> > But this seems to have no effect.  Why?

> > Would a restricted shell be the way to go, just restrict everything?
> > Or is there another file that I should use, something like /etc/ftpusers
> > but for telnet.

> > Any help would be appreciated.
> > Thanks,
> > Brian

> > PS using RH 5.2

 
 
 

Per user: Restricting Telnet but allowing FTP

Post by rand » Thu, 15 Jul 1999 04:00:00


I'm not sure, that might be OS specific.  Maybe someone else will follow
this thread and answer it

--rjm--


> Thanks!
> I had tried adding this to the /etc/passwd file before, but I didn't
> know about the /etc/shells file.

> Is the /etc/security/access.conf file not used, then?

> Brian


> > make an entry in /etc/passwd for that user after the last colon ':'
> > something like '/bin/false'
> > then in /etc/shells add the line '/bin/false'


> > > Hello,

> > > I'd like to be able to allow certain users or groups to have access to
> > > FTP, but not allow them to login via telnet.

> > > I've tried disallowing access in /etc/security/access.conf like this
> > > -:username:ALL     (It is the first in the list)

> > > But this seems to have no effect.  Why?

> > > Would a restricted shell be the way to go, just restrict everything?
> > > Or is there another file that I should use, something like /etc/ftpusers
> > > but for telnet.

> > > Any help would be appreciated.
> > > Thanks,
> > > Brian

> > > PS using RH 5.2

 
 
 

Per user: Restricting Telnet but allowing FTP

Post by Dave Bro » Thu, 15 Jul 1999 04:00:00



>I'm not sure, that might be OS specific.  Maybe someone else will follow
>this thread and answer it

>--rjm--


>> Is the /etc/security/access.conf file not used, then?

I thought the file that controlled login access was /etc/securetty.

In other words, permit users to log in on "tty" but not "ttyp"...
But this is just a general recollection--you'd have to look up
the details.

--
Dave Brown   Austin, TX

 
 
 

Per user: Restricting Telnet but allowing FTP

Post by Brian Kuscha » Thu, 15 Jul 1999 04:00:00


I believe /etc/securetty applies only to root.

Specifing a nonexistent shell as a users login shell (in /etc/passwd)
seems to cause them to be disconnected immediately after login.  Are
there any known security risks associated with this method?  It would be
nice to specify that a particular user would never even get
authenticated for telnet, while still allowing them real (not-anonymous)
FTP access.


> I thought the file that controlled login access was /etc/securetty.
> In other words, permit users to log in on "tty" but not "ttyp"...

 
 
 

Per user: Restricting Telnet but allowing FTP

Post by Jeffrey Shaffe » Fri, 16 Jul 1999 04:00:00


Hello,


> Hello,

> I'd like to be able to allow certain users or groups to have access to
> FTP, but not allow them to login via telnet.

In order to disallow certain ip's or even ALL access to your telnet service,
you can use the /etc/hosts.deny file. RedHat 5.2 runs the different services
though your inetd (super internet deamon). If you look in the
/etc/inetd.conf you'll see the in.telnetd service is started  after being
passed through the tcpd wrapper. The tcpd wrapper checks the hosts.deny and
hosts.allow in that order. Just add:    in.telnetd :ALL
in the /etc/hosts.deny and that should do it.

With this you can deny ip, but not specific users.

Hope this works.

Jeff
Unix Sytem Admin.
Embry-Riddle Aeronautical University
ext. 7003

> I've tried disallowing access in /etc/security/access.conf like this
> -:username:ALL     (It is the first in the list)

> But this seems to have no effect.  Why?

> Would a restricted shell be the way to go, just restrict everything?
> Or is there another file that I should use, something like /etc/ftpusers
> but for telnet.

> Any help would be appreciated.
> Thanks,
> Brian

> PS using RH 5.2

 
 
 

1. restrict telnet/ssh but allow ftp

I'm trying to do this and having next to no luck.
I've seen many suggestions to change the shell location in /etc/passwd
to /dev/null or /bin/false, etc. However when I do that I can't login
with ftp. As soon as I change it back to /bin/bash I can login with
ftp.
How can I accomplish this?

Additionally, there are a couple users I want to give ssh access to.
How can I restrict their home directory (chroot) as well as limit what
commands they're able to run?

And thirdly, a proftpd question.
I have it currently setup in proftpd.conf the DefaultRoot is
DefaultRoot /home/sites/domain.com bob
Inside the domain.com dir are the domains users subdir and the web
content subdir.
When a user ftp's in they are chroot'ed to /home/sites/domain.com,
what I would like to happen is when they ftp in they start in
/home/sites/domain.com/users/bob but can't "cd .." any further than
/home/sites/domain.com

Thanks

2. Trying to configure Apache/Tomcat Connection with mod_webapp

3. Restricting telnet and allowing ftp

4. Wierd Networking Probelm

5. Restricting ftp directory access on a per user basis

6. Reasions to stay with Solaris

7. restricting ftp on a per user basis

8. can you make a unix socket secure?

9. Restrict Ftp and Telnet Users to their home directory

10. Help: Restrict user accounts from telnet and FTP : Thanks to Steve

11. allow ftp, don't allow telnet

12. allowing only one user to telnet/rlogin/ftp in

13. How to not allow certain users ftp/telnet etc...permissions?