On Thu, May 18, 2000 at 10:45:43AM +0000, Mats Rynge wrote: > Hi! > > How can I limit some of my users to be able to use FTP but not be able > to use Telnet. I thought this was possible by changing the shell to > /bin/true, but I didn't work. I'm running potato and I'm using proftp as > FTP server.
define `didn't work' do you mean they were still able to telnet or
that they could no longer login to anything including ftp?
if it was the latter you need to run:
echo "/bin/true" >> /etc/shells
if it was the former that would be very strange indeed, and would
indicate something is quite broken if the shell feild of /etc/passwd
is being ignored...
however a more secure method to restrict users to ftp only IMO is with
pam:
in /etc/pam.d/login i have:
auth required pam_listfile.so item=user sense=deny \
file=/etc/deny.shell onerr=succeed
in /etc/deny.shell is a list of usernames that are not permitted to
login interactivly, if they attempt to login with telnet or on the
console it will seem as though they are entering an incorrect
password. you will need to add this line to any other pam service
that you wish to disallow for ftp only accounts. you should however
combine this with setting the shell to /bin/true or nologin [1] in
case you happen to have something that does not use pam.
also don't use telnet, use ssh.
[1] the nologin program i refer to comes from OpenBSD, it is very
simple, it prints This account is currently not available. and exits,
it will also read /etc/nologin.txt if it exists and print its contents
instead. the OpenBSD source compiles fine on GNU/Linux. Debian also
has a similar program packaged called falselogin but it is
significantly more complicated then the OpenBSD version.
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgp0USs5ZlpPV.pgp
Description: PGP signature
