Re: User Access restriction.
> > On Tuesday 30 May 2006 01:28, Mikhail Goriachev wrote: > > Marwan Sultan wrote: > > > Hello, > > > > > > Yes, I understand that To lockup a user from navigating outside their > > > home directories through > > > ftp, I simply can add them to /etc/ftpchroot and when a user connects > > > It wont allow him > > > to go any level higher than his Home Directory. > > > No need for proftpd as additional port, because the base system will do > > > it throu /etc/ftpchroot > > > > > > BUT!! > > > The user can connect through SSH and navigate, > > > Here where my information stops, > > > 2 questions, > > > 1) How do I have a list from few users to disallow them using SSH? > > > is there any where i add a user to disallow him from using SSH? > > You can define /usr/sbin/nologin as their shell, that will prevent all shel= > l=20 > logins for that user. But AFIK the stock ftp will not work without shell=20 > access. You will need to use something like proftpd if you go that route. It has been a long time since I played with it (years) but I think exactly what you suggest here will work as the poster wants. Of course, nologin or its equivalent needs to be listed in /etc/shells. jerry > > Beech > > > > man sshd_config > > > > and see AllowUsers/DenyUsers sections. > > > > > 2) If I want to lock the user through his SSH session not FTP session > > > whats the way? > > >Is jail the only way? no easier way? chroot can do it? how if yes? or > > > whats the alternatives? > > > > > > Thank you guys for following up with me. > > > > > > Marwan > > > > Cheers, > > Mikhail. > > =2D-=20 > > =2D= > =2D- > Beech Rintoul - Sys. Administrator - [EMAIL PROTECTED] > /"\ ASCII Ribbon Campaign | Alaska Paradise > \ / - NO HTML/RTF in e-mail | 201 East 9Th Avenue Ste.310 > X - NO Word docs in e-mail | Anchorage, AK 99501 > / \ - Please visit Alaska Paradise - http://www.alaskaparadise.com > =2D= > =2D- > > > > > > > > > > > > > --nextPart1448432.rIM0hVdrV5 > Content-Type: application/pgp-signature > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.3 (FreeBSD) > > iD8DBQBEfBUMp5D0B1NlT4URAqlSAJ9V6OZkd7rgz1bHyBmvh7ZVAnr+EQCfRGGt > /jyK7BE/6X1sM/a35EOXXDw= > =GcVM > -END PGP SIGNATURE- > > --nextPart1448432.rIM0hVdrV5-- > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Access restriction.
On Tuesday 30 May 2006 01:28, Mikhail Goriachev wrote: > Marwan Sultan wrote: > > Hello, > > > > Yes, I understand that To lockup a user from navigating outside their > > home directories through > > ftp, I simply can add them to /etc/ftpchroot and when a user connects > > It wont allow him > > to go any level higher than his Home Directory. > > No need for proftpd as additional port, because the base system will do > > it throu /etc/ftpchroot > > > > BUT!! > > The user can connect through SSH and navigate, > > Here where my information stops, > > 2 questions, > > 1) How do I have a list from few users to disallow them using SSH? > > is there any where i add a user to disallow him from using SSH? You can define /usr/sbin/nologin as their shell, that will prevent all shell logins for that user. But AFIK the stock ftp will not work without shell access. You will need to use something like proftpd if you go that route. Beech > > man sshd_config > > and see AllowUsers/DenyUsers sections. > > > 2) If I want to lock the user through his SSH session not FTP session > > whats the way? > >Is jail the only way? no easier way? chroot can do it? how if yes? or > > whats the alternatives? > > > > Thank you guys for following up with me. > > > > Marwan > > Cheers, > Mikhail. -- --- Beech Rintoul - Sys. Administrator - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | Alaska Paradise \ / - NO HTML/RTF in e-mail | 201 East 9Th Avenue Ste.310 X - NO Word docs in e-mail | Anchorage, AK 99501 / \ - Please visit Alaska Paradise - http://www.alaskaparadise.com --- pgp8Ft2BLKhMb.pgp Description: PGP signature
Re: User Access restriction.
Marwan Sultan wrote: > Hello, > > Yes, I understand that To lockup a user from navigating outside their > home directories through > ftp, I simply can add them to /etc/ftpchroot and when a user connects > It wont allow him > to go any level higher than his Home Directory. > No need for proftpd as additional port, because the base system will do > it throu /etc/ftpchroot > > BUT!! > The user can connect through SSH and navigate, > Here where my information stops, > 2 questions, > 1) How do I have a list from few users to disallow them using SSH? > is there any where i add a user to disallow him from using SSH? man sshd_config and see AllowUsers/DenyUsers sections. > > 2) If I want to lock the user through his SSH session not FTP session > whats the way? >Is jail the only way? no easier way? chroot can do it? how if yes? or > whats the alternatives? > > Thank you guys for following up with me. > > Marwan Cheers, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: http://www.webanoide.org PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Access restriction.
Hello, Yes, I understand that To lockup a user from navigating outside their home directories through ftp, I simply can add them to /etc/ftpchroot and when a user connects It wont allow him to go any level higher than his Home Directory. No need for proftpd as additional port, because the base system will do it throu /etc/ftpchroot BUT!! The user can connect through SSH and navigate, Here where my information stops, 2 questions, 1) How do I have a list from few users to disallow them using SSH? is there any where i add a user to disallow him from using SSH? 2) If I want to lock the user through his SSH session not FTP session whats the way? Is jail the only way? no easier way? chroot can do it? how if yes? or whats the alternatives? Thank you guys for following up with me. Marwan to restrict users from navigating outside their home directories through FTP try using an FTP server that support chrooting. you might want to check proftpd. http://www.proftpd.org/ it is also included in the ports collection. hope this helps :) = Gil A. Virtucio Janitor/Kolektor/Messenger/Driver Asia Solution Phillippines Inc. 28/F Antel Global Corporate Center 3 Doña Julia Vargas Avenue, Ortigas Center, Pasig Office # : +63-2-687-0692 loc. 103 Mobile # : +63-916-3989695 http://www.gihl.eu.org/ = - Original Message - From: "Marwan Sultan" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 30, 2006 5:15 AM Subject: User Access restriction. Hello Everyone, I have a server Up and running, 4.8-R, (well why 4.8? its up since years) However, this server is for commercial use, recently, we started Home pages hosting, which requier me to give the user access to the shell, Well, the question, Lets say, I have 2 groups, Group1, Group2 under Groupe1 is the webpages shell accounts (user accounts) and group2, just shell users, If user1 from Group1 will ftp or ssh to the box, his default home path will be /home/group1/user1 But, he still can navigate thro his FTP or ssh to see the directories and read files of group1 or group2, and play around lilbit, PLEASE how to restrict this user from going outside his shell account and restrict him from viewing others folders and webpages ? If i will chmod to something limited, then even when he browse the web to his webpage it wont work, So how to have the restriction in the same time viewing his web thro any browser worldwide? Sorry for the long email. Thank you, Marwan _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Access restriction.
2006/5/30, GiL A. Virtucio <[EMAIL PROTECTED]>: to restrict users from navigating outside their home directories through FTP try using an FTP server that support chrooting. you might want to check proftpd. http://www.proftpd.org/ it is also included in the ports collection. hope this helps :) See also man ftpchroot for the BSD ftpd and the relative docs for your ftp daemon. I'm not sure if acl, extended attributes and MAC exist in 4.8, but these are also options. -- Димитър Василев Dimitar Vassilev GnuPG key ID: 0x4B8DB525 Keyserver: pgp.mit.edu Key fingerprint: D88A 3B92 DED5 917E 341E D62F 8C51 5FC4 4B8D B525 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Access restriction.
On 30 mei 2006, at 03:33, GiL A. Virtucio wrote: to restrict users from navigating outside their home directories through FTP try using an FTP server that support chrooting. you might want to check proftpd. http://www.proftpd.org/ it is also included in the ports collection. hope this helps :) = Gil A. Virtucio Janitor/Kolektor/Messenger/Driver Asia Solution Phillippines Inc. 28/F Antel Global Corporate Center 3 Doña Julia Vargas Avenue, Ortigas Center, Pasig Office # : +63-2-687-0692 loc. 103 Mobile # : +63-916-3989695 http://www.gihl.eu.org/ = - Original Message - From: "Marwan Sultan" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 30, 2006 5:15 AM Subject: User Access restriction. Hello Everyone, I have a server Up and running, 4.8-R, (well why 4.8? its up since years) However, this server is for commercial use, recently, we started Home pages hosting, which requier me to give the user access to the shell, Well, the question, Lets say, I have 2 groups, Group1, Group2 under Groupe1 is the webpages shell accounts (user accounts) and group2, just shell users, If user1 from Group1 will ftp or ssh to the box, his default home path will be /home/group1/user1 But, he still can navigate thro his FTP or ssh to see the directories and read files of group1 or group2, and play around lilbit, PLEASE how to restrict this user from going outside his shell account and restrict him from viewing others folders and webpages ? If i will chmod to something limited, then even when he browse the web to his webpage it wont work, So how to have the restriction in the same time viewing his web thro any browser worldwide? Sorry for the long email. Thank you, Marwan or have a look at "man ftpchroot" Arno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Access restriction.
to restrict users from navigating outside their home directories through FTP try using an FTP server that support chrooting. you might want to check proftpd. http://www.proftpd.org/ it is also included in the ports collection. hope this helps :) = Gil A. Virtucio Janitor/Kolektor/Messenger/Driver Asia Solution Phillippines Inc. 28/F Antel Global Corporate Center 3 Doña Julia Vargas Avenue, Ortigas Center, Pasig Office # : +63-2-687-0692 loc. 103 Mobile # : +63-916-3989695 http://www.gihl.eu.org/ = - Original Message - From: "Marwan Sultan" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 30, 2006 5:15 AM Subject: User Access restriction. Hello Everyone, I have a server Up and running, 4.8-R, (well why 4.8? its up since years) However, this server is for commercial use, recently, we started Home pages hosting, which requier me to give the user access to the shell, Well, the question, Lets say, I have 2 groups, Group1, Group2 under Groupe1 is the webpages shell accounts (user accounts) and group2, just shell users, If user1 from Group1 will ftp or ssh to the box, his default home path will be /home/group1/user1 But, he still can navigate thro his FTP or ssh to see the directories and read files of group1 or group2, and play around lilbit, PLEASE how to restrict this user from going outside his shell account and restrict him from viewing others folders and webpages ? If i will chmod to something limited, then even when he browse the web to his webpage it wont work, So how to have the restriction in the same time viewing his web thro any browser worldwide? Sorry for the long email. Thank you, Marwan _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
User Access restriction.
Hello Everyone, I have a server Up and running, 4.8-R, (well why 4.8? its up since years) However, this server is for commercial use, recently, we started Home pages hosting, which requier me to give the user access to the shell, Well, the question, Lets say, I have 2 groups, Group1, Group2 under Groupe1 is the webpages shell accounts (user accounts) and group2, just shell users, If user1 from Group1 will ftp or ssh to the box, his default home path will be /home/group1/user1 But, he still can navigate thro his FTP or ssh to see the directories and read files of group1 or group2, and play around lilbit, PLEASE how to restrict this user from going outside his shell account and restrict him from viewing others folders and webpages ? If i will chmod to something limited, then even when he browse the web to his webpage it wont work, So how to have the restriction in the same time viewing his web thro any browser worldwide? Sorry for the long email. Thank you, Marwan _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"