Arch Linux

Arcath

Member

Registered: 2008-04-08

Posts: 27

preventing a user from loging in through SSH

I need to create a "restricted" user account that people can use for FTP, but cant be used to SSH into the server.

i am using the latest version of openSSH

alessandro_ufms

Member

From: Campo Grande, MS - Brazil

Registered: 2008-06-25

Posts: 153

Re: preventing a user from loging in through SSH

I don't understand.
Do you want restrict user for a SFTP use? For this use rssh program.

Arcath

Member

Registered: 2008-04-08

Posts: 27

Re: preventing a user from loging in through SSH

i want people to be able to use the account to login throught FTP but not let them login through SSH

wonder

Developer

From: Bucharest, Romania

Registered: 2006-07-05

Posts: 5,941

Website

Re: preventing a user from loging in through SSH

modify according line from /etc/passwd from /bin/bash to /bin/false or /sbin/nologin
or
you can configure sshd to permit/deny only specific users or groups. man sshd_config

AllowGroups
              This  keyword  can be followed by a list of group name patterns,
              separated by spaces.  If specified, login is  allowed  only  for
              users  whose  primary  group or supplementary group list matches
              one of the patterns.  Only group names are  valid;  a  numerical
              group  ID  is  not recognized.  By default, login is allowed for
              all groups.  The allow/deny directives are processed in the fol‐
              lowing  order:  DenyUsers,  AllowUsers,  DenyGroups, and finally
              AllowGroups.

AllowUsers
              This keyword can be followed by a list of  user  name  patterns,
              separated  by  spaces.   If specified, login is allowed only for
              user names that match one of the patterns.  Only user names  are
              valid; a numerical user ID is not recognized.  By default, login
              is allowed for  all  users.   If  the  pattern  takes  the  form
              USER@HOST then USER and HOST are separately checked, restricting
              logins  to  particular  users  from   particular   hosts.    The
              allow/deny  directives  are  processed  in  the following order:
              DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

Last edited by wonder (2008-12-27 12:12:47)

---

Give what you have. To someone, it may be better than you dare to think.

attila

Member

Registered: 2006-11-14

Posts: 293

Re: preventing a user from loging in through SSH

i want people to be able to use the account to login throught FTP but not let them login through SSH

I'm not realy sure that i understand you in the right way but you can use "AllowGroups" and/or "AllowUsers" in the sshd_config to control which users can login via ssh.

Arcath

Member

Registered: 2008-04-08

Posts: 27

Re: preventing a user from loging in through SSH

i will be using the server as an FTP server at a lan party, it already has a few accounts for the web hosting on it, aswell as accounts for people using it as FTP storage, so it already has all the security i want, so the user was already limited, and the files on the ftp server where going to be read only by that user, but at the lan party some people would have found it funny to login through ssh and "passwd" or "rm -R patches/" so just removing ssh access for the only user they will know the password to was the easiest way to go.

"DenyUser lan" in /etc/ssh/sshd_config has worked fine for what i want