On Thu, Dec 04, 2003 at 12:17:35AM -0500, Thien Ho wrote: > >If you want to block all access to the system for a specific user: > > > > passwd -l luser > > it's a workaround True. I use a different method whereby users are blocked by default, then added to a list file if they're permitted access. For example, to allow specific users only to use ssh, I add this line to the top of /etc/pam.d/sshd auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers.allow onerr=fail I then create a file called /etc/sshusers.allow that contains one username per line. Any user listed in that file is permitted to log in via ssh. Be careful doing this, because if you mess it up, NOBODY will be able to log in. :-) > >If you only need to block login services (ftp, sftp, scp, ssh, telnet): > > > > chsh -s /sbin/nologin luser > > Have you tested that? To be honest, no. I don't even support ftp logins on my box at all any more, preferring scp/sftp. I believe that a user without a shell can't log in to ftp, since ftp issues commands such as ls for retrieving lists of files. Mind you, that might not be true any more, with more recent ftp daemons, so my previous assumptions might no longer apply. Thanks for pointing that out... > I'm absolutely sure that even you change the shell to nologin, users are > still able to ftp. If you want fine-grained control over who logs in to what service, that's a good thing. You can use something similar to what I did with /etc/pam.d/ssh to the relevant ftp file in /etc/pam.d and enforce the restriction that only specific users can log in to ftp. Regards, Msquared... -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
