The easiest way of doing this is to set the user's shell option in the file /etc/passwd to a shell which is listed in the file /etc/shells but which does not correspond to to an actual Linux/Unix shell, such as /sbin/nologin.
These changes will not affect a user if he/she is currently logged in.
You will not be able to su to any account to which you have applied these settings!
You will not be able to transfer files using SCP using any account to which you have applied these settings!
A typical entry for a user's account in a modern Linux/Unix /etc/passwd file reads as shown in the line below. The part indicating the shell is highlighted.
A typical /etc/shells file may have the following lines:
|
/bin/sh /bin/bash /sbin/nologin /bin/ksh /usr/bin/ksh /usr/bin/pdksh /bin/tcsh /bin/csh |
Setting the shell to anything other than /sbin/nologin will allow the user SSH access (and Telnet access as well, but you shouldn't have Telnet access enabled for anyone anyway!)
There may be some FTP daemons which will deny access if they see that a user's shell is set to /sbin/nologin. In such a situation, you can add a "fake" shell to the end of /etc/shells such as /bin/true (or a path to any other file which doesn't exist) and then setting the user's shell in /etc/passwd to the "fake" shell value.
This approach worked with a server running Red Hat Enterprise Linux 4 along with its stock installation of vsftpd. You may have to alter this process if you are using a different setup.
| Back to Stupid Networking Tricks | philatfacebook@gmail.com |