Security: Blocking users from the system

(last edit: 2000-11-22) Why would you create an user account if you are going to block it from the system? Whell for example if you use Samba, if you only want that user to have ftp access, ssh access etc. Blocking a user entirely Cange the user in the '/etc/password' file (READ BELOW HOW TO): jappe:[encrypted password]:1000:50::0:0:jappe reuling:/home/jappe:/usr/local/bin/zsh in: jappe:[encrypted password]:1000:50::0:0:jappe reuling:/nonexistent:/sbin/nologin Now you have set jappe's home dir to 'nonexistend' and his shell to 'nologin'. This will have as effect that the user can't login to the server using telnet, ftp, ssh, rlogin, login, basicly every deamon which reqruires a homedir/logon. The only exception I can think of right now is Samba. The user will be able to use Samba and its shares. You can edit users with 'vipw'. What you actualy do is open the file '/etc/passwd' in special way in a vi session. One of the differences is that the encrypted password is shown instead of a *. When you close this session 'vipw' will do all the apropriate actions like updating the password database etc. You must be root to execute this commands. man vipw Vipw edits the password file after setting the appropriate locks, and does any necessary processing after the password file is unlocked. If the password file is already locked for editing by another user, vipw will ask you to try again later. The default editor for vipw is vi(1). Just blocking login access If you want the user not to be able to logon but to be able to ssh and ftp then put this user in the '/etc/login.access' file/ E.g. we are going to block the user 'jappe': root@host:/etc#cat login.access -:jappe:ALL This sais that login is refused , the '-' symbol, for the user 'jappe' from 'ALL' locations. Now jappe can't login using normal programs like telnet, login and rlogin but he is able to connect to an other deamon like 'sshd' and 'ftpd'. man login.access login.access - login access control table [...] The login.access file specifies (user, host) combinations and/or (user, tty) combinations for which a login will be either accepted or refused. [...] Each line of the login access control table has three fields separated by a ":" character: permission : users : origins The first field should be a "+" (access granted) or "-" (access denied) character. The second field should be a list of one or more login names, group names, or ALL (always matches). The third field should be a list of one or more tty names (for non-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), ALL (always matches) or LOCAL (matches any string that does not contain a "." character). [...] Blocking users from sshd You'll have to edit the 'sshd_config file' if you want to deny access via ssh. This config file usualy lives in '/usr/local/etc'. Add the line: DenyUsers [username(s)] to this file. man sshd [...] DenyUsers This keyword can be followed by any number of user name patterns or user@host patterns, separated by spaces. Host name may be either the dns name or the ip address. If specified, login is disallowed as users whose name matches any of the patterns. AllowUsers This keyword can be followed by any number of user name patterns or user@host patterns, separated by spaces. Host name may be either the dns name or the ip address. If specified, login is allowed only as users whose name matches one of the patterns. '*' and '?' can be used as wildcards in the patterns. By default, logins as all users are allowed. Blocking ftp access This works for the deault 'ftpd' deamon. Edit the file '/etc/ftpusers'. You'll see that the user 'root' is already in here. Just add the user who you wish to deny ftp access to this file and your finished.

Click here to go back to the index.