Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...
Thank you.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Limit an account to protocol.
Re: Limit an account to protocol.
For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.hack3rcon wrote:Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...
Thank you.
I don't think there's a way of setting that up for every service globally.
-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).
In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.
As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".
Re: Limit an account to protocol.
Thank you for your answer.reinob wrote:For that you would have to configure each of the servers (ssh, ftp, etc.) so as to allow/deny specific groups or users.hack3rcon wrote:Hello,
Is it possible to create an account that limited to protocol? For example, create an account just for SSH only and with this account nobody can logging to the system or use it for FTP and...
Thank you.
I don't think there's a way of setting that up for every service globally.
-> which sort of make sense, as the concept of a "user" only has a meaning to each particular service (think http where no login takes place, normally).
In the past you could use tcpwrappers to limit HOSTS (not users), but this also required support from each service (server, daemon) you were running. The trend is now to have each server handle user authentication/permissions on its own, as well as using a firewall for IP/HOST-based access rules.
As for logging in into the system, you can lock an account (i.e. prevent from logging in to a console) using "passwd -l <username>".
Excuse me if my question was vague.
I meant was, I limit "user1" to just FTP access and this user can't logging to the system or SSH. "user2" can connect to SSH but can't use FTP.
Re: Limit an account to protocol.
https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.
Re: Limit an account to protocol.
Note that this would still require that the servers actually support PAM, e.g. for SSH it is optional. For e-mail (e.g. postfix and/or dovecot) it would require local users and PAM support, i.e. no virtual users, etc.sickpig wrote:https://wiki.archlinux.org/index.php/PAM should be able to provide the level of authentication restriction you are after. But you would have to write up the policies to meet your use case.
So in the end you have to configure this (if at all possible) for each individual service.
Re: Limit an account to protocol.
I thought all had PAM baked in. Even hardcore slackware has now included PAM modules.reinob wrote:Note that this would still require that the servers actually support PAM
If I had to implement what the OP intends to achieve I would also look into limiting scope of a service by restrictively defining its parent .slice unit and also see if policykit can help.