no home no shell accounts

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

no home no shell accounts

David Walker-16
Hi.

I have some accounts that don't require home directories or shells.
In the past I used ftpd for web uploading and would do the
shell==false thing and chroot them and set the login directory via the
passwd file.
Bye bye ftpd, hello sshd.

So I'm looking at this again, using the sshd's internal sftp and
chroot directives on a per user basis. For now I'm looking at using
password authentication.
Here's the nervous administrator talking but is this correct ...

If these users connect via ssh, sshd will authenticate them via their
password entry and once that's achieved, the "home" directory will be
according to sshd_config and the "shell" will be whatever interface
sftp provides.
In other words, for that purpose the home and shell directives in
master.passwd will never come into play.

If that is correct, should I care about what the entries are in master.passwd?
Is blank okay?
Presumably I could set up shell==false but is a blank entry as good here?
I notice that there are a couple of items in master.passwd that seem
to fit the bill for this - UID 32767 ("nobody") has directory set to
/nonexistent and it and many others have shell set to /sbin/nologin
...

I think I get the purpose of nologin and it can be used to disable
accounts as needed.
If users are connecting via sshd for sftp purposes only will setting
/sbin/nologin or any other shell affect them at all?

Is nonexistent a key word? I've been stumbling through source but I'm
very out of my depth. Is it merely a good english word that points to
any non-existent directory?

A hundred other questions ...

TIA

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: no home no shell accounts

Stefan Johnson-2
On Tue, Sep 27, 2011 at 10:43 AM, David Walker <[hidden email]>wrote:

> Hi.
>
> I have some accounts that don't require home directories or shells.
> In the past I used ftpd for web uploading and would do the
> shell==false thing and chroot them and set the login directory via the
> passwd file.
> Bye bye ftpd, hello sshd.
>

Using false for your shell is okay for ftp.  It is not for ssh/sftp.


>
> So I'm looking at this again, using the sshd's internal sftp and
> chroot directives on a per user basis. For now I'm looking at using
> password authentication.
> Here's the nervous administrator talking but is this correct ...
>
> If these users connect via ssh, sshd will authenticate them via their
> password entry and once that's achieved, the "home" directory will be
> according to sshd_config and the "shell" will be whatever interface
> sftp provides.
> In other words, for that purpose the home and shell directives in
> master.passwd will never come into play.
>
> Match User sftpuser
       X11Forwarding no
       AllowTcpForwarding no
       ForceCommand internal-sftp


The user has to have a valid shell (ksh works) even if the match directive
is used
to process the user to sftp only.  The user should have a valid shell, and
the
sshd_config should use the match directive as follows:




> If that is correct, should I care about what the entries are in
> master.passwd?
> Is blank okay?
> Presumably I could set up shell==false but is a blank entry as good here?
> I notice that there are a couple of items in master.passwd that seem
> to fit the bill for this - UID 32767 ("nobody") has directory set to
> /nonexistent and it and many others have shell set to /sbin/nologin
> ...
>
> I think I get the purpose of nologin and it can be used to disable
> accounts as needed.
> If users are connecting via sshd for sftp purposes only will setting
> /sbin/nologin or any other shell affect them at all?
>
> Is nonexistent a key word? I've been stumbling through source but I'm
> very out of my depth. Is it merely a good english word that points to
> any non-existent directory?
>
> A hundred other questions ...
>
> TIA
>
> Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: no home no shell accounts

Stefan Johnson-2
In reply to this post by David Walker-16
Please disregard my last... gmail sent the email before I was finished
composing it.

On Tue, Sep 27, 2011 at 10:43 AM, David Walker <[hidden email]>wrote:

> Hi.
>
> I have some accounts that don't require home directories or shells.
> In the past I used ftpd for web uploading and would do the
> shell==false thing and chroot them and set the login directory via the
> passwd file.
> Bye bye ftpd, hello sshd.
>

Using false for your shell is okay for ftp.  It is not for ssh/sftp.


>
> So I'm looking at this again, using the sshd's internal sftp and
> chroot directives on a per user basis. For now I'm looking at using
> password authentication.
> Here's the nervous administrator talking but is this correct ...
>
> If these users connect via ssh, sshd will authenticate them via their
> password entry and once that's achieved, the "home" directory will be
> according to sshd_config and the "shell" will be whatever interface
> sftp provides.
> In other words, for that purpose the home and shell directives in
> master.passwd will never come into play.
>

The user has to have a valid shell (ksh works) even if the match directive
is used
to process the user to sftp only.  The user should have a valid shell, and
the
sshd_config should use the match directive as follows:

 Match User sftpuser
       X11Forwarding no
       AllowTcpForwarding no
       ForceCommand internal-sftp
       ChrootDirectory /home/sftpuser

Where the user is named sftpuser and the home directory for the user is
/home/sftpuser.

>
> Hope this helped.
Stefan Johnson

Reply | Threaded
Open this post in threaded view
|

Re: no home no shell accounts

David Walker-16
Hi Stefan.

On 28/09/2011, Stefan Johnson <[hidden email]> wrote:
> Please disregard my last... gmail sent the email before I was finished
> composing it.

I figured as much.

> Using false for your shell is okay for ftp.  It is not for ssh/sftp.

I kind of expect that SSH (the shell) either passes commands directly
to the sftp-server or the sftp-server is enough of a shell to take
over (in the same way that ftpd has enough vocabulary) ...
In that sense it wouldn't seem useful to have another shell in play.

I'm not saying you're wrong but unless I get something definitive
(e.g. a man page) I'll test it anyway.

>  Match User sftpuser
>        X11Forwarding no
>        AllowTcpForwarding no
>        ForceCommand internal-sftp
>        ChrootDirectory /home/sftpuser
>
> Where the user is named sftpuser and the home directory for the user is
> /home/sftpuser.

Yeah I got that bit worked out and I've got the forwarding commands globally.

>>
>> Hope this helped.
> Stefan Johnson
>

Absolutely.

Best wishes.

Reply | Threaded
Open this post in threaded view
|

Re: no home no shell accounts

Stefan Johnson-2
On Wed, Sep 28, 2011 at 7:10 AM, David Walker <[hidden email]>wrote:

> Hi Stefan.
>
> On 28/09/2011, Stefan Johnson <[hidden email]> wrote:
> > Please disregard my last... gmail sent the email before I was finished
> > composing it.
>
> I figured as much.
>
> > Using false for your shell is okay for ftp.  It is not for ssh/sftp.
>
> I kind of expect that SSH (the shell) either passes commands directly
> to the sftp-server or the sftp-server is enough of a shell to take
> over (in the same way that ftpd has enough vocabulary) ...
> In that sense it wouldn't seem useful to have another shell in play.
>

SSH isn't a shell.  It is a protocol.  In much the same sense as FTP is not
a shell but a protocol.
FTP is designed with file transfers in mind, and therefore handles file I/O
without the need of
a shell process to set up an environment, etc.  SSH (and by extension, SFTP)
need a valid shell
to do that for you.  I've seen an implementation of SSH that allows for
/bin/false for sftp, but unless
something changed and I missed it, OpenSSH does not.



>
> I'm not saying you're wrong but unless I get something definitive
> (e.g. a man page) I'll test it anyway.
>
> >  Match User sftpuser
> >        X11Forwarding no
> >        AllowTcpForwarding no
> >        ForceCommand internal-sftp
> >        ChrootDirectory /home/sftpuser
> >
> > Where the user is named sftpuser and the home directory for the user is
> > /home/sftpuser.
>
> Yeah I got that bit worked out and I've got the forwarding commands
> globally.
>

If you intend to use logging, check the tail end of the man page for
sftp-server as well.
There is a blurb about needing to set something up for syslog in there.

Good luck!

Stefan Johnson

Reply | Threaded
Open this post in threaded view
|

Re: no home no shell accounts

Stefan Johnson-2
I stand corrected.  Here is the procedure for setting up sftp-only with
/usr/bin/false as the shell:

Create your user with the appropriate shell:
useradd -m -s /usr/bin/false -d /home/anonsftp anonsftp
(Note that you might want to set up your own login class for it instead, or
add other details)

Change the ownership of /home/anonsftp to root:
chown root /home/anonsftp

Modify the sshd_config for a Match User block that is appropriate:
Match User anonsftp
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp
     ChrootDirectory /home/anonftp

If you need logging, again review the section in the man page on that.

Sorry for the bad information earlier.

Stefan Johnson