Deny ssh but allow ftp

Hi,

How can i configure my server so that a specific user can't
login on my ssh, but can login to my ftp server? I've tried
to set shell on /sbin/nologin for that user, but ftp stopped
working then too. I am using redhat 9 with OpenSSH and vsftpd.

Thank you in advance,

Robert Mens

On Fri, 19 Sep 2003 17:55:07 +0200, Robert <(E-Mail Removed)> wrote:

>Hi,
>
>How can i configure my server so that a specific user can't
>login on my ssh, but can login to my ftp server? I've tried
>to set shell on /sbin/nologin for that user, but ftp stopped
>working then too. I am using redhat 9 with OpenSSH and vsftpd.
>
>Thank you in advance,
>
>Robert Mens


hosts.allow
hosts.deny


Rich Piotrowski

To E-mail use: rpiotro(at)wi(dot)rr(dot)com

Robert wrote:

> Hi,
>
> How can i configure my server so that a specific user can't
> login on my ssh, but can login to my ftp server? I've tried
> to set shell on /sbin/nologin for that user, but ftp stopped
> working then too. I am using redhat 9 with OpenSSH and vsftpd.

man sshd_config - AllowUsers

But really...

--
Jeroen Geilman

Gentoo 1.4 rc4

On Fri, 19 Sep 2003 17:55:07 +0200, Robert
<(E-Mail Removed)> wrote:
> Hi,
>
> How can i configure my server so that a specific user can't
> login on my ssh, but can login to my ftp server? I've tried
> to set shell on /sbin/nologin for that user, but ftp stopped
> working then too. I am using redhat 9 with OpenSSH and vsftpd.
>
echo /sbin/nologin >> /etc/shells


--
Commander Spiral Pyjama Pseudo-Rhinocerous Feline Thingamajig Bill Marcum
(the First)
Ozy and Millie Name Generator http://heifong.phase.org/omname.php

Bill Marcum wrote:

> On Fri, 19 Sep 2003 17:55:07 +0200, Robert
> <(E-Mail Removed)> wrote:
>> Hi,
>>
>> How can i configure my server so that a specific user can't
>> login on my ssh, but can login to my ftp server? I've tried
>> to set shell on /sbin/nologin for that user, but ftp stopped
>> working then too. I am using redhat 9 with OpenSSH and vsftpd.
>>
> echo /sbin/nologin >> /etc/shells
>
>

I take you also do not have telnet running
So
in /etc/ssh/sshd_config
add the line
DenyUsers john,sam,tripper etc...
from man sshd_config

DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. ‘*’ and ‘’? can be used as
wildcards
in the patterns. Only user names are valid; a numerical user
ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.

Bill Marcum wrote:

> On Fri, 19 Sep 2003 17:55:07 +0200, Robert
> <(E-Mail Removed)> wrote:
>> Hi,
>>
>> How can i configure my server so that a specific user can't
>> login on my ssh, but can login to my ftp server? I've tried
>> to set shell on /sbin/nologin for that user, but ftp stopped
>> working then too. I am using redhat 9 with OpenSSH and vsftpd.
>>
> echo /sbin/nologin >> /etc/shells

Didn't you mean:

# cat /sbin/nologin >> /etc/shells

--
Paul Lutus
http://www.arachnoid.com

What about just changing their shell access to /bin/false.

That should allow FTP but deny shell access.

-tim

Rich Piotrowski wrote:
> On Fri, 19 Sep 2003 17:55:07 +0200, Robert <(E-Mail Removed)> wrote:
>
>
>>Hi,
>>
>>How can i configure my server so that a specific user can't
>>login on my ssh, but can login to my ftp server? I've tried
>>to set shell on /sbin/nologin for that user, but ftp stopped
>>working then too. I am using redhat 9 with OpenSSH and vsftpd.
>>
>>Thank you in advance,
>>
>>Robert Mens
>
>
>
> hosts.allow
> hosts.deny
>
>
> Rich Piotrowski
>
> To E-mail use: rpiotro(at)wi(dot)rr(dot)com

Doesn't hosts.allow and hosts.deny only work if the service is set up
via inetd? sshd usually runs as a standalone daemon.

It's been quite a while since I've used either of these, but I'm pretty
sure that's still true.


--
Mike Nugent
Programmer/Author/DBA/Admin
In search of employment, email for credentials
(E-Mail Removed)

Tim Johnson wrote:
> What about just changing their shell access to /bin/false.
>
> That should allow FTP but deny shell access.
>
> -tim
>
>

I'm pretty sure if you specify

ssh (E-Mail Removed) 'ls > /tmp/test'

it will run no matter what shell you have.

I'm pretty sure sshd only spawns a shell from /etc/passwd when you use
it to log into a machine.

What I think this user wants is ftp virtual users. I'm pretty sure
proftpd supports this. Please check the man pages as I haven't set it
up in a very long time.

--
Mike Nugent
Programmer/Author/DBA/Admin
In search of employment, email for credentials
(E-Mail Removed)