On Tue, Sep 27, 2011 at 10:43 AM, David Walker <[email protected]>wrote:
> Hi.
>
> I have some accounts that don't require home directories or shells.
> In the past I used ftpd for web uploading and would do the
> shell==false thing and chroot them and set the login directory via the
> passwd file.
> Bye bye ftpd, hello sshd.
>
Using false for your shell is okay for ftp. It is not for ssh/sftp.
>
> So I'm looking at this again, using the sshd's internal sftp and
> chroot directives on a per user basis. For now I'm looking at using
> password authentication.
> Here's the nervous administrator talking but is this correct ...
>
> If these users connect via ssh, sshd will authenticate them via their
> password entry and once that's achieved, the "home" directory will be
> according to sshd_config and the "shell" will be whatever interface
> sftp provides.
> In other words, for that purpose the home and shell directives in
> master.passwd will never come into play.
>
> Match User sftpuser
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
The user has to have a valid shell (ksh works) even if the match directive
is used
to process the user to sftp only. The user should have a valid shell, and
the
sshd_config should use the match directive as follows:
> If that is correct, should I care about what the entries are in
> master.passwd?
> Is blank okay?
> Presumably I could set up shell==false but is a blank entry as good here?
> I notice that there are a couple of items in master.passwd that seem
> to fit the bill for this - UID 32767 ("nobody") has directory set to
> /nonexistent and it and many others have shell set to /sbin/nologin
> ...
>
> I think I get the purpose of nologin and it can be used to disable
> accounts as needed.
> If users are connecting via sshd for sftp purposes only will setting
> /sbin/nologin or any other shell affect them at all?
>
> Is nonexistent a key word? I've been stumbling through source but I'm
> very out of my depth. Is it merely a good english word that points to
> any non-existent directory?
>
> A hundred other questions ...
>
> TIA
>
> Best wishes.
