Limit an account to protocol.

If none of the more specific forums is the right place to ask

Limit an account to protocol.

Postby hack3rcon » 2020-09-04 17:03

Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.
hack3rcon
 
Posts: 424
Joined: 2015-02-16 09:54

Re: Limit an account to protocol.

Postby reinob » 2020-09-04 22:15

hack3rcon wrote:Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.


For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.
I don't think there's a way of setting that up for every service globally.

-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).

In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.

As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".
reinob
 
Posts: 815
Joined: 2014-06-30 11:42

Re: Limit an account to protocol.

Postby hack3rcon » 2020-09-05 08:59

reinob wrote:
hack3rcon wrote:Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.


For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.
I don't think there's a way of setting that up for every service globally.

-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).

In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.

As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".


Thank you for your answer.
Excuse me if my question was vague.
I meant was, I limit "user1" to just FTP access and this user can't logging to the system or SSH. "user2" can connect to SSH but can't use FTP.
hack3rcon
 
Posts: 424
Joined: 2015-02-16 09:54

Re: Limit an account to protocol.

Postby sickpig » 2020-09-05 09:37

https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.
User avatar
sickpig
 
Posts: 484
Joined: 2019-01-23 10:34

Re: Limit an account to protocol.

Postby reinob » 2020-09-05 10:37

sickpig wrote:https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.


Note that this would still require that the servers actually support PAM, e.g. for SSH it is optional. For e-mail (e.g. postfix and/or dovecot) it would require local users and PAM support, i.e. no virtual users, etc.

So in the end you have to configure this (if at all possible) for each individual service.
reinob
 
Posts: 815
Joined: 2014-06-30 11:42

Re: Limit an account to protocol.

Postby sickpig » 2020-09-05 11:04

reinob wrote:Note that this would still require that the servers actually support PAM
I thought all had PAM baked in. Even hardcore slackware has now included PAM modules.
If I had to implement what the OP intends to achieve I would also look into limiting scope of a service by restrictively defining its parent .slice unit and also see if policykit can help.
User avatar
sickpig
 
Posts: 484
Joined: 2019-01-23 10:34


Return to General Questions

Who is online

Users browsing this forum: No registered users and 14 guests

fashionable