Security: Blocking users from the system(last edit: 2000-11-22)
Why would you create an user account if you are going to block it from the system? Whell
for example if you use Samba, if you only want that user to have ftp access, ssh access etc.

Blocking a user entirely
Cange the user in the '/etc/password' file (READ BELOW HOW TO):

jappe:[encrypted password]:1000:50::0:0:jappe reuling:/home/jappe:/usr/local/bin/zsh

in:

jappe:[encrypted password]:1000:50::0:0:jappe reuling:/nonexistent:/sbin/nologin

Now you have set jappe's home dir to 'nonexistend' and his shell to 'nologin'. This will have
as effect that the user can't login to the server using telnet, ftp, ssh, rlogin, login, basicly
every deamon which reqruires a homedir/logon. The only exception I can think of right now is
Samba. The user will be able to use Samba and its shares.

You can edit users with 'vipw'. What you actualy do is open the file '/etc/passwd' in
special way in a vi session. One of the differences is that the encrypted password is shown
instead of a *. When you close this session 'vipw' will do all the apropriate actions like
updating the password database etc. You must be root to execute this commands.

man vipw

Vipw edits the password file after setting the appropriate locks, and
does any necessary processing after the password file is unlocked. If
the password file is already locked for editing by another user, vipw
will ask you to try again later. The default editor for vipw is vi(1).

Just blocking login access
If you want the user not to be able to logon but to be able to ssh and ftp then put this
user in the '/etc/login.access' file/

E.g. we are going to block the user 'jappe':

root@host:/etc#cat login.access

-:jappe:ALL

This sais that login is refused , the '-' symbol, for the user 'jappe' from 'ALL' locations.

Now jappe can't login using normal programs like telnet, login and rlogin but he is able to
connect to an other deamon like 'sshd' and 'ftpd'.

man login.access

[...]

The login.access file specifies (user, host) combinations and/or (user,
tty) combinations for which a login will be either accepted or refused.

[...]

Each line of the login access control table has three fields separated by
a ":" character: permission : users : origins

The first field should be a "+" (access granted) or "-" (access denied)
character. The second field should be a list of one or more login names,
group names, or ALL (always matches). The third field should be a list
of one or more tty names (for non-networked logins), host names, domain
names (begin with "."), host addresses, internet network numbers (end
with "."), ALL (always matches) or LOCAL (matches any string that does
not contain a "." character).

[...]

Blocking users from sshd
You'll have to edit the 'sshd_config file' if you want to deny access via ssh. This config
file usualy lives in '/usr/local/etc'.

Add the line:

DenyUsers [username(s)]

to this file.

man sshd

[...]

DenyUsers
This keyword can be followed by any number of user
name patterns or user@host patterns, separated by
spaces. Host name may be either the dns name or the
ip address. If specified, login is disallowed as
users whose name matches any of the patterns.

AllowUsers
This keyword can be followed by any number of user
name patterns or user@host patterns, separated by
spaces. Host name may be either the dns name or the
ip address. If specified, login is allowed only as
users whose name matches one of the patterns. '*'
and '?' can be used as wildcards in the patterns.
By default, logins as all users are allowed.

Blocking ftp access
This works for the deault 'ftpd' deamon. Edit the file '/etc/ftpusers'. You'll see that the
user 'root' is already in here. Just add the user who you wish to deny ftp access to this
file and your finished.

Click here to go back to the index.