Hi Boris! On Wed, 07 Nov 2001, Boris Lorenz wrote:
Hi,
On 06-Nov-01 Teodor Cimpoesu wrote:
Hi Andreas! On Tue, 06 Nov 2001, Andreas Rittershofer wrote:
On 6 Nov 01, at 10:39, Thorsten Marquardt wrote:
I like to offer some customers a kind off sftp account but to deny any login to this accounts. So I thought about having /bin/false as shell in /etc/passwd but this prevents sftp to. What can I do? put /bin/false in /etc/shells and set /bin/false as shell [discl: not tested]
this works with ftp, but not with sftp, which is part of the ssh
For pam stuff: http://www.samag.com/documents/s=1161/sam0009a/0009a.htm you can easily set it up so that a user cannot log in via ftp/etc, but sftp is PART of ssh, so it greatly complicates things. Simply limit them to 1 process or something and they won't be able to fire up a shell. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: "Teodor Cimpoesu" <teo@gecadsoftware.com> To: <suse-security@suse.com> Sent: Wednesday, November 07, 2001 2:00 PM Subject: Re: [suse-security] sftp without without a valid shell? package.
I've gone thru all the options two years ago... /bin/false,
/bin/noshell, my own
(perl-)shells, to no avail. Only ssh-dummy-shell does the trick.
If there's an alternative to it, I would be happy to learn.
[another not tested rant :)] maybe: auth required /lib/security/pam_shells.so instead of: auth required /lib/security/pam_nologin.so in /etc/pam.d/sshd?
-- teodor
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com