Debian User Forums

[hack3rcon]

Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.

[reinob]

Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.

For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.
I don't think there's a way of setting that up for every service globally.

-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).

In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.

As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".

[hack3rcon]

Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...

Thank you.

For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.
I don't think there's a way of setting that up for every service globally.

-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).

In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.

As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".

Thank you for your answer.
Excuse me if my question was vague.
I meant was, I limit "user1" to just FTP access and this user can't logging to the system or SSH. "user2" can connect to SSH but can't use FTP.

[sickpig]

https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.

[reinob]

https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.

Note that this would still require that the servers actually support PAM, e.g. for SSH it is optional. For e-mail (e.g. postfix and/or dovecot) it would require local users and PAM support, i.e. no virtual users, etc.

So in the end you have to configure this (if at all possible) for each individual service.

[sickpig]

Note that this would still require that the servers actually support PAM

I thought all had PAM baked in. Even hardcore slackware has now included PAM modules.
If I had to implement what the OP intends to achieve I would also look into limiting scope of a service by restrictively defining its parent .slice unit and also see if policykit can help.