usermod --lock --expiredate 1 --shell /bin/false

If account is expired with expiredate
- crontabs won't start.
- ssh login is rejected

If shell is /bin/false
- No way to log with ssh (obviously)
- mailfilter (maildrop) won't work

Hardened sftp-only account

In sshd_config:

#Subsystem sftp /usr/lib/openssh/sftp-server

At the end of sshd_config:


Subsystem sftp internal-sftp
Match User toto
      ChrootDirectory %h/b # par ex
      AllowTCPForwarding no
      X11Forwarding no
      ForceCommand internal-sftp

NB %h/b (home/b) must be owned by root. sftp should never go to the home directory, or an attacker gaining control of the client computer can change authentication keys.

then

 usermod --shell /bin/false

Anonymous

Search

Navigation

Navigation

Related sites

Wiki tools

Wiki tools

Super mega lock

Namespaces

Page actions

Hardened sftp-only account

Anonymous

Search

Navigation

Wiki tools

Page tools

Super mega lock

Hardened sftp-only account