Re: Deny accessing with someservices

Wed, 02 May 2001 15:24:39 -0700 

On Wed, 2 May 2001 at 5:06pm (+0430), Alireza Saleh wrote:

> Thank you for you reply Matthew,
> I just want to deny access some users via specific services, for example I
> have users : A, B, C on my server I don't want to give access into my
> computer via Telnet and FTP to A, C.

Well if you put users A and C's names into /etc/ftpusers then thy will not
be able to ftp in.  No such file exists for telnet though.  We could make
one but telnet uses login, and if we setup login to use a deny list like
ftpusers then we'd be cutting them off from more than telnet. Instead I
think you should add ...

        account    required     /lib/security/pam_access.so

... to the account section of /etc/pam.d/ftp and /etc/pam.d/telnet.  Now in
/etc/security/access.conf add a line like...

-:A C:ALL EXCEPT LOCAL

... and now A and C may not log in by ftp or telnet by may still login on
the local console or sshd ect.  Alternativly you could add A and C to a
common group (in addition to their primary group) so in /etc/group we
have...

restrict:x:75:A,C

... and in access.conf we have...

-:restrict:ALL EXCEPT LOCAL

... so now instead of adding users to access.conf you add them to the
restrict group.

NB - If you add pam_access.so to any other service's pam file they won't be
able to use that service either.  That's a limit in the flexibility of the
solution but I am not aware of an easy way to work around it - assuming it's
an issue for you at all which it doesn't sound like it would be.

M.

P.S.  The simplest solution is is set A and C's shell to /bin/true and now
neither telnet nor ftp will work.  Niether will anything else though - this
would only be useful for something like a mail client that was able to login
via POP3 and get their email but couldn't interact with the box in any other
way.

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road.           Network Operations - Systems Engineer
PO Box 4169, East Brisbane.                       phone: +61 7 3249 2500
Queensland, Australia.                            pgp key id: 0x900E515F







_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to