On Mon, Apr 12, 2010 at 23:52, Andrew Berg <bahamutzero8825 at gmail.com> wrote: > On 4/12/2010 11:23 PM, gm5729 wrote: >> If I'm understanding this correctly all your users are or have the >> ability to SSH to the box but have no shell. > No one is allowed to connect to the ssh daemon except me, but each user > does have a shell (see below). The idea is to let them change their > passwords without needing to access the ssh daemon. >> Is this some kind of >> storage mechanism for users? If it is only allow scp of all users and >> set /etc/passwd to /bin/false > I set the users' shells to /bin/false and the result was that they > became unable to login via FTP, with the daemon returning 530 Login > incorrect. With their default shell set to /bin/bash, they are able to > login. >> If you do this then on the other end >> since Apache is already in place you can use the certs for your site >> to generate a https html pages for each user. > HTTPS is already set up and all pages are secure and require authentication. >> As far as password resets the places I worked had to call the help >> desk and they would reset it for the user and bill the ticket to the >> appropriate department. We had like 10-12 different applications, main >> frames and email to handle for these items. > I have root access, so I can reset passwords for the users. I want them > to have the ability to change their own passwords without my intervention. > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > I totally hear what your saying on wanting them to be able to change their passwords. A script would have to be written to do so on a web page depending on if you can script or someone else will in the dept or outsource it. The user can already do so under normal privileges, but you don't want them to use ssh access. FreeNAS has a web setup that I'm basing this off of that I used for awhile. I had some serious instability issues with the Filesystem that wiped out data and settings, which is why I stopped using it. YMMV. It was purely hobby. Instead of Apache they used LightHttpd/Tomcat. Well if it wasn't /bin/false then it must have been /bin/sh. With the sh access you could only scp to the machine. You're going to have to make sure there are no hard or soft links to sh > bash otherwise they have shell access. Honestly your life as a sys admin would probably be easier to use your ssh/d configs properly with Allowuser lines, /etc/host.allow /etc/hosts.deny, utilize not only the /etc/groups but PAM. That's what its there for anyway. You are giving them openssl/shell access (which is closely related to ssh/d) by logging in on one end of a secure site, but wanting to deny them on the other. If you can't trust your users in what sounds like a business atmosphere IMHO they shouldn't ever be allowed access to the box. With the above files you can parse down to who can use a cdrom drive, adn who cant, lock down all usb/storage. With Hal being deprecated and distros pulling it out as a dependency and adding console-kit, devkit, polkit those are also access control tools. Monitoring you logs, and setting up a cron job on certain conditions that are met or not met is easy to grep out. It's early, late or something another. Have a good day. I hope I gave you some ideas you may not have thought of or something else. VP -- -- If there is a question to the validity of this email please phone for validation. Proudly presented by Mutt, GNUPG, Vi/m and GNU/Linux via CopyLeft. GNU/Linux is about Freedom to compute as you want and need to, and share your work unencumbered and have others do the same with you. Key : 0xD53A8E1