enforce ftp, deny ssh, enforce ssh, deny ftp

enforce ftp, deny ssh, enforce ssh, deny ftp

Post by Haxo » Thu, 23 Nov 2000 04:00:00



Hello,

I want my users to have two different accounts, one for ssh and one for ftp.
Let's divide them in two groups, ssh_users and ftp_users.

The ssh_users are real users, e.g they have normal user's rights BUT may not
use ftp for connection.
The ftp_users are guest users, e.g they may only connect to ftp where they
are chroot:ed to their home_dir.

This may seem weird, but since I don't want shell owners to send passwords
using ftp clients (clear text mode) and since I couldn't come up with a
better idea, this is it. Now, how do we accomplish this nifty workaround?

ssh_users got added to /etc/ftpusers, which will deny them from accessing
ftp.
ftp_users' seventh field in /etc/passwd was changed to 'false', which means,
no shell.

Well, so far so good but it's kind of a quick-and-dirty solution to the
problem. I guess there must be some better way.

/The Wonderer

 
 
 

enforce ftp, deny ssh, enforce ssh, deny ftp

Post by Tim Hayne » Thu, 23 Nov 2000 04:00:00



> The ssh_users are real users, e.g they have normal user's rights BUT may not
> use ftp for connection.
> The ftp_users are guest users, e.g they may only connect to ftp where they
> are chroot:ed to their home_dir.

> This may seem weird, but since I don't want shell owners to send
> passwords using ftp clients (clear text mode) and since I couldn't come
> up with a better idea, this is it. Now, how do we accomplish this nifty
> workaround?

> ssh_users got added to /etc/ftpusers, which will deny them from accessing
> ftp.
> ftp_users' seventh field in /etc/passwd was changed to 'false', which means,
> no shell.

No, it means login tries to spawn "false", which could be anything.

Set it to /bin/true and add that to /etc/shells, you'll be laughing.

Quote:> Well, so far so good but it's kind of a quick-and-dirty solution to the
> problem. I guess there must be some better way.

Well, the above is exactly how I'd go about it, but then again maybe it's
time I caught up with the modern wave...

I think the other way to go about this stuff is with _PAM_. No ideas,
you'll have to RTBreference_works, but I think it's possible there instead.

~Tim
--
   12:25pm  up 99 days, 15:00, 11 users,  load average: 0.04, 0.06, 0.02

http://piglet.is.dreaming.org |and the river flowed
                              |

 
 
 

enforce ftp, deny ssh, enforce ssh, deny ftp

Post by Christer Johansso » Thu, 23 Nov 2000 04:00:00


If you want to use secure ftp, look at
http://www.cs.berkeley.edu/~smcpeak/safetp/

/Christer

 
 
 

enforce ftp, deny ssh, enforce ssh, deny ftp

Post by Jonathan H N Ch » Thu, 23 Nov 2000 04:00:00



>This may seem weird, but since I don't want shell owners to send passwords
>using ftp clients (clear text mode) and since I couldn't come up with a
>better idea, this is it. Now, how do we accomplish this nifty workaround?

Your proposal won't stop ssh users *attempting* to connect via ftp.
So passwords may still get leaked.

To prevent that you might automatically lock ssh accounts if ftp login
is attempted but that will leave the accounts open to denial-of-service
attacks.

-jonathan

--
Jonathan H N Chin, 1 dan | deputy computer | Newton Institute, Cambridge, UK

                "respondeo etsi mutabor" --Rosenstock-Huessy

 
 
 

1. Deny ssh but allow ftp

Hi,

How can i configure my server so that a specific user can't
login on my ssh, but can login to my ftp server? I've tried
to set shell on /sbin/nologin for that user, but ftp stopped
working then too. I am using redhat 9 with OpenSSH and vsftpd.

Thank you in advance,

Robert Mens

2. Preserving old newsgroup messages from IIS server

3. Enforcing upload to download ratio using wu-ftp.2.4

4. Using APPLE LAserWriter with Solaris

5. can ssh-agent work between ssh-2.3 and ssh-3.5

6. SUN OECD February 2000 (704-7076-10)

7. How can I denied users to access my server using SSH?

8. JASSPAs MicroEmacs '04 released

9. ssh: Permission Denied

10. ipfilters, hosts_allow/deny and ssh

11. ssh: permission denied

12. ssh: acces denied (only from remote network)

13. How can I denied users to access my server using SSH?