Thanks for the response.
Blue Lang wrote:
> On Wed, 21 Mar 2001, Kelly Corbin wrote:
>
>
>> Is it possible to do authentication by some other means other than
>> /etc/passwd or system login? I know this sounds weird, but I want to
>> allow various logins in ssh, but not give them regular system access.
>
>
> yes. you can use host-based or key-based authentication. i've never heard
> of anyone using a different password file or NCSA or anything like that
> without hackage.
That's exactly what I'm talking about; using a different password file
or some other externally controlled mechanism such as a database, etc.
>
>
>> SSH2 makes it possible to run FTP over SSH for secure FTP connections,
>> but now that that security hole has been eliminated (clear text
>> passwords) in my system I want to make it even more secure. ProFTPD
>
>
> if you're talking about sftp, then, no, it doesn't. i assume you're
> actually talking about tunnelled ftp?
Yes, tunneled ftp.
>
>
>> This way I could chroot a user to a particular directory in FTP, but
>> they wouldn't have a normal system login so they couldn't ssh in like a
>> normal system user.
>
>
> you can chroot users w/ssh. check the included docs.
Chroot is not enough. I don't even want them to have a shell; too many
opportunities for exploits. FTP access to the system only (even then,
many FTP servers are riddled with latent security issues). Regular
system users can shell in OK, I don't care about them. I want to
severely restrict all other users. Specifically, I want my web users to
be able to update their sites, but not have any other access to the system.
--
--------------------------------------------
-- Kelly Corbin
-- Systems Administrator
--
-- http://www.theiqgroup.com
--
-- The IQ Group, Inc.
-- 6740 Antioch Suite 110
-- Merriam, KS 66204
-- (913)-722-6700
-- Fax (913)722-7264
--------------------------------------------
