Hi Mark, No, you cannot use a nologin with scp or ssh. There are a few restricted shells, most notably rssh (which is in apt-get for Debian): http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html On Thu, Dec 29, 2011 at 8:04 AM, Mark Phillips wrote: > Eric, > > The Debian equivalent to /sbin/nologin appears to be /bin/false. When I > tried that, I could not sftp or ssh or gain access to the machine in > anyway. I am not sure if there is another Debian shell that allows sftp but > not ssh. > > Thanks! > > Mark > > On Wed, Dec 28, 2011 at 9:54 PM, Eric Shubert wrote: > >> That should be ok. >> >> Be sure you have your ftp server configured such that they cannot access >> folders above/across their home folder. File permissions may handle this, >> but probably will not (many things are world readable). >> >> Also, be sure that they cannot login to a command prompt by setting their >> login shell to /sbin/nologin (might vary with distro). This is commonly >> done for service accounts (apache, etc). >> >> >> On 12/28/2011 03:38 PM, Mark Phillips wrote: >> >>> Thanks to everyone for their suggestions. Based on some constraints, >>> your advice, some googling, I arrived at this set-up, but I am not sure >>> how secure it is. >>> >>> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp >>> to upload a site. >>> 2. iWeb does not support the use of "versions" for the web pages. By >>> that I mean iWeb is strictly one way - create a site and publish it. It >>> cannot import an iWeb site, it has to start at the beginning. One can >>> create a site and publish it, then edit the site, and publish again, but >>> it cannot import or use a previous version of the site as a starting >>> point. (I mention this because Eric suggested using git, which sounded >>> like a great idea, but alas >>> >>> I have this setup, but I could use some advice on how to make it more >>> secure.... >>> >>> 1. User account fred >>> 2. fred's home is /var/www/domain/fred >>> 3. /var/www/domain/fred has owner:group fred:fred >>> 4. Document root is /var/www/domain/fred >>> >>> Thanks, >>> >>> Mark >>> >>> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert >> > wrote: >>> >>> On 12/27/2011 10:46 PM, Mark Phillips wrote: >>> >>> I need to give a user access to my web server via sftp to upload >>> web >>> site changes. What is the best way to do this? I have several >>> other >>> sites on the same server, so I want to prevent them or anyone >>> else who >>> gains access to their account from being able to make changes to >>> those >>> sites or other parts of the server. >>> >>> Thanks, >>> >>> Mark >>> >>> >>> I use vsftp, which can be configured to allow users access only to >>> their web site's tree. sftp might be able to do the same. >>> >>> Then, create their user such that their home directory is their web >>> site's directory, and they cannot log in to the system (only vsftp) >>> with an /etc/passwd entry like this: >>> vsftpuser:x:511:511::/var/__**vhosts/domain.com/docs:/sbin/_** >>> _nologin >>> >>> > >>> >>> >>> Files in their web site are owned by their user, with read >>> permissions for 'other' (o+r), which allows apache (or nginx) to >>> read them. >>> >>> -- >>> -Eric 'shubes' >>> >>> >>> ------------------------------**__--------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.__phoe**nix.az.us >>> >>> > >>> >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az._**_us/mailman/listinfo/plug-__**discuss >>> >>> > >>> >>> >>> >> >> -- >> -Eric 'shubes' >> >> ------------------------------**--------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.**phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.**us/mailman/listinfo/plug-**discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com