topic Re: no shell account in Operating System - HP-UX

no shell account

mjos — Mon, 03 Mar 2008 07:49:33 GMT

I want to create a no shell account for an user. He will be using this account to connect to the server using ssh to send & recieve files. He will be having access to only 2 dirs for sending & recieving files.

Any way to create a no shell account.
Please help.

Re: no shell account

Mark Grant — Mon, 03 Mar 2008 08:08:26 GMT

If you use ssh the user will need a shell account.

If it's only for sending and receiving files then "ftp" or "sftp" is probably simpler. You can restrict the user to which ever directories you want and give them an "ftpshell" as their shell too.

Re: no shell account

Jeeshan — Mon, 03 Mar 2008 08:16:58 GMT

create a user and edit the /etc/passwd file using command

#vipw

and in shell area replace the existing shell by /usr/bin/ftpshell.

Re: no shell account

mjos — Mon, 03 Mar 2008 08:57:42 GMT

I dont find any ftpshell inside /usr/bin

# pwd
/usr/bin
# ll ftp*
-r-xr-xr-x 1 bin bin 374364 Nov 10 2006 ftp
-r-xr--r-- 1 bin bin 42828 Nov 10 2006 ftpcount
-r-xr--r-- 1 bin bin 48244 Nov 10 2006 ftprestart
-r-xr--r-- 1 bin bin 56828 Nov 10 2006 ftpshut
lrwxr-xr-x 1 root bin 10 Nov 16 14:16 ftpwho -> ./ftpcount

Re: no shell account

Jeeshan — Mon, 03 Mar 2008 09:49:57 GMT

follow the procedures

1. Create a bogus shell for users that will only have FTP access to the system:

a. vi /usr/bin/ftpshell

b. exit 0

c. chmod 555 /usr/bin/ftpshell

d. chown bin:bin /usr/bin/ftpshell

2. Create an /etc/shells file:

a. vi /etc/shells

b. Include these lines in the file:

/sbin/sh

/usr/bin/ksh

/usr/bin/sh

/usr/bin/csh

/usr/bin/rsh

/usr/bin/rksh

/usr/bin/keysh

/bin/sh

/bin/ksh

/bin/csh

/bin/rsh

/bin/rksh

/usr/bin/ftpshell

Re: no shell account

mjos — Mon, 03 Mar 2008 10:13:21 GMT

Thanks....I did the same thing...when I am trying to sftp to the server with that user ...I am getting the following error

Connection has been unexpectedly closed. Server sent command exit status 1.

# cat /usr/bin/ftpshell
exit 0

# cat /etc/shells
/bin/sh
/usr/bin/sh
/bin/ksh
/usr/bin/ksh
/usr/bin/ftpshell

Re: no shell account

Jeeshan — Mon, 03 Mar 2008 10:24:04 GMT

this is not for sftp.

this is for ftp login.

Re: no shell account

mjos — Mon, 03 Mar 2008 10:28:52 GMT

Thanks Ahsan...but my need is that the user should be able to do sftp transfers & not ftp. I am able to do sftp using any other account

Re: no shell account

Mark Grant — Mon, 03 Mar 2008 11:29:47 GMT

I'm pretty sure that you can't do what you want with sftp. sftp is only ftp over ssh and ssh in a replacement for rlogin/remsh.

There are proper ftp clients that support encryption and will also allow you to restrict what the user can see/do and remove the requirement for a shell.

"oftp" is one though and I believe there is an "eftp" as well.

Alternatively, use ftp and encrypt the files before transferring.

Re: no shell account

Heironimus — Mon, 03 Mar 2008 17:36:15 GMT

sftp doesn't read /etc/shells for anything, but it does expect a shell to invoke the sftp-server binary to handle the server's end of the connection. One slightly hackish way to provide sftp without shell access is to set the shell to sftp-server (I don't have the full path handy, but it's part of the ssh package). You can also use scponly or rssh as the shell, both of which can be used to allow scp as well as sftp.

Re: no shell account

David Woodroffe — Tue, 04 Mar 2008 02:26:46 GMT

Have you considered effectively putting the ssh connection into a restricted directory subset. If I remember correctly there are tools supplied with the HP ssh package which make it relatively easy to setup such a user. However password changes and maintenance may be an issue and I didn't investigate using public keys etc. I did setup a test account along the lines of what you wanted.