Prevent ssh login

Chris · External Since: Sep 14, 2006 Posts: 21

This may seem odd, but how do I prevent a user from logging in via ssh?

I want to give one particular user FTP access and no access of any other
kind. I'm using vsftpd.

Eric · External Since: Mar 05, 2007 Posts: 47

Chris wrote:
> This may seem odd, but how do I prevent a user from logging in via ssh?
>
> I want to give one particular user FTP access and no access of any other
> kind. I'm using vsftpd.

first link on google will lead to...

http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users...d-group

Mark Nenadov · External Since: Mar 03, 2007 Posts: 4

On Fri, 23 Mar 2007 20:34:52 +0100, Eric wrote:

> Chris wrote:
>> This may seem odd, but how do I prevent a user from logging in via ssh?
>>
>> I want to give one particular user FTP access and no access of any other
>> kind. I'm using vsftpd.
>
> first link on google will lead to...
>
> http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-
-and-groups.html

That may be the first link google gives, but it isn't necessarily the best
solution.

Yes, you can deny users access in the SSHD config. However, going by the
principle of not giving a user more access then they need, a better
solution in view of the FTP-only requirement would be changing that users
shell to /sbin/nologin

--

Mark Nenadov -> skype: marknenadov, web: http://www.marknenadov.com
-> "Careful, monsieur, with me. Do not tangle with me.
I'm a trained expert in karate. My hands are lethal weapons!"
-- Peter Sellers in A Shot In The Dark

David Bolt · External Since: Feb 14, 2006 Posts: 526

On Fri, 23 Mar 2007, Chris <spam_me_not.RemoveThis@goaway.com> wrote:-

>This may seem odd, but how do I prevent a user from logging in via ssh?
>
>I want to give one particular user FTP access and no access of any
>other kind. I'm using vsftpd.

The way I've done it is to change the shell to /bin/true for the users
you don't wish to have shell access. Doing this means they can't log in,
even if they have direct access to the system[0]. It doesn't stop them
from being able to use FTP and/or POP3 for mail[1], which is ideal for
the few users I've used this for.

[0] They can su - <username> -s /bin/bash but need access to another
account that _does_ have a usable login shell.

[1] Can you say web server and POP3 mailbox hosting Smile

DrE · External Since: Mar 12, 2007 Posts: 22

Chris schreef:
> This may seem odd, but how do I prevent a user from logging in via ssh?
>
> I want to give one particular user FTP access and no access of any other
> kind. I'm using vsftpd.
Just put "AllowUsers user1 user2 user3" in sshd_config. Otherwise use
DenyUsers.

Dre

Matthew Wild · External Since: May 30, 2006 Posts: 10

Mark Nenadov wrote:
> On Fri, 23 Mar 2007 20:34:52 +0100, Eric wrote:
>
>> Chris wrote:
>>> This may seem odd, but how do I prevent a user from logging in via ssh?
>>>
>>> I want to give one particular user FTP access and no access of any other
>>> kind. I'm using vsftpd.
>> first link on google will lead to...
>>
>> http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-
> -and-groups.html
>
>
> That may be the first link google gives, but it isn't necessarily the best
> solution.
>
> Yes, you can deny users access in the SSHD config. However, going by the
> principle of not giving a user more access then they need, a better
> solution in view of the FTP-only requirement would be changing that users
> shell to /sbin/nologin
>

Do they even need to be a full user? You could set them up as a virtual
ftp user, who then only has access to things via vsftpd.

Matthew