Re: Disable ssh login + enable scp for specific users.

From: Dominik Schleich (dsc_at_tpso.com)
Date: 01/22/04

  • Next message: Arndt.WA_at_forces.gc.ca: "RE: SSH / SSH-KEYGEN / PRNGD SEED" 
    Date: Thu, 22 Jan 2004 14:27:51 +0100
To: Martin Sarsale <msarsale@buenosaires.gov.ar>

    Martin Sarsale wrote:

    >On Wed, 2004-01-21 at 08:41, Dominik Schleich wrote:
    >
    >
    >>Loris Serena wrote:
    >>
    >>
    >>
    >>>Hello list,
    >>>
    >>>Here is what I need to achieve on a per-user basis:
    >>>
    >>>1. disallow user-xyz to login via ssh to a specific box;
    >>>2. let user-xyz be able to scp to said box;
    >>>3. let anybody else ssh to said box and then su - user-xyz.
    >>>
    >>>Is there any way of doing this?
    >>>
    >>>Thanks in advance
    >>>
    >>>Loris
    >>>
    >>>
    >>>
    >>Hi Loris
    >>principally it should be enough to set the loginshell of user-xyz to an
    >>invalid path (e.g. /bin/none or so) in your /etc/passwd
    >>
    >>Its not tested, just what i think, but i hope it helps anyway
    >>
    >>
    >
    >this won't work because when the other user su to user-xyz, the invalid
    >shell will be executed and after that, the user will be "logged off".
    >
    >For example:
    >
    >debian:~# grep snort /etc/passwd
    >snort:x:105:1003:Snort IDS:/var/log/snort:/bin/false
    >debian:~# su snort
    >debian:~#
    >
    >and it's not possible to execute another shell
    >
    >
    >
    sorry,sorry i just answered too fast.......
    meanwhile i tested it at home, and it wont works this way......
    think it will work with the scponly-shell as loginshell, like it was
    posted here too, in addition the users allowed to view these files
    should be in the same group ( of course with the right perms)

  • Next message: Arndt.WA_at_forces.gc.ca: "RE: SSH / SSH-KEYGEN / PRNGD SEED"