Re: mail-only user accounts

[Stanisław Findeisen]

On 2010-10-21 09:54, Ron Johnson wrote:
> On 10/21/2010 02:35 AM, Stanisław Findeisen wrote:
>> What are the best practices for restricting user accounts to e-mail +
>> passwd only?
>>
>> Is allowing SSH access and setting user shell to passwd the way to go?
>>
> 
> If the machine will just be an email server, I'd look into virtual
> accounts.
> 
> http://www.debuntu.org/how-to-virtual-emails-accounts-with-postfix-and-dovecot

Okay, but does SSH+passwd + Postfix + Dovecot (no virtual accounts)
leave any inherent security holes? Like the ability to do scp or...?

My testing reveals that scp doesn't work with SSH+passwd:

> scp local-file some...@...:/somewhere/...
> some...@...'s password: 
> 
> passwd: invalid option -- c
> Usage: passwd [options] [LOGIN]
> 
> Options:
>   -a, --all report password status on all accounts
>   -d, --delete  delete the password for the named account
>   -e, --expire  force expire the password for the named 
> account
>   -h, --helpdisplay this help message and exit
>   -k, --keep-tokens change password only if expired
>   -i, --inactive INACTIVE   set password inactive after expiration
> to INACTIVE
>   -l, --locklock the password of the named account
>   -n, --mindays MIN_DAYSset minimum number of days before password
> change to MIN_DAYS
>   -q, --quiet   quiet mode
>   -r, --repository REPOSITORY   change password in REPOSITORY repository
>   -S, --status  report password status on the named account
>   -u, --unlock  unlock the password of the named account
>   -w, --warndays WARN_DAYS  set expiration warning days to WARN_DAYS
>   -x, --maxdays MAX_DAYSset maximim number of days before password
> change to MAX_DAYS
> 
> lost connection

What is this "c"? What is scp doing?

Does scp assume that remote shell is GNU Bash, and tries to pass command
line arguments to it? My local GNU Bash manual says:

> -c string If the -c option is present, then commands are read from string.   
> If  there  are  arguments  after  the
>  string, they are assigned to the positional parameters, 
> starting with $0.

so I think that would make sense... This -c option is probably POSIX?

Perhaps Debian SSH server only allows secure authentication +
communication and the rest is just to execute user shell with command
line parameters supplied by the client end. Is this correct?

-- 
http://people.eisenbits.com/~stf/
OpenPGP: DFD9 0146 3794 9CF6 17EA  D63F DBF5 8AA8 3B31 FE8A

Like hardship, risk & challenge?  --- Follow Jesus!!



signature.asc
Description: OpenPGP digital signature

Re: mail-only user accounts

[Camaleón]

On Thu, 21 Oct 2010 02:54:30 -0500, Ron Johnson wrote:

> On 10/21/2010 02:35 AM, Stanisław Findeisen wrote:
>> What are the best practices for restricting user accounts to e-mail +
>> passwd only?
>>
>> Is allowing SSH access and setting user shell to passwd the way to go?
>>
>>
> If the machine will just be an email server, I'd look into virtual
> accounts.

+1 

> http://www.debuntu.org/how-to-virtual-emails-accounts-with-postfix-and-dovecot

There are other possibilities. For example, I'm using Cyrus+sasldb2 (no sql 
server required) :-)

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2010.10.21.08.04...@gmail.com

Re: mail-only user accounts

[Ron Johnson]

On 10/21/2010 02:35 AM, Stanisław Findeisen wrote:

What are the best practices for restricting user accounts to e-mail +
passwd only?

Is allowing SSH access and setting user shell to passwd the way to go?



If the machine will just be an email server, I'd look into virtual 
accounts.


http://www.debuntu.org/how-to-virtual-emails-accounts-with-postfix-and-dovecot

--
Seek truth from facts.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4cbff1b6.2030...@cox.net