Documentation

10.11. Banning users

10.11.1. Introduction

A deny-username authentication method can be used to block/deny authentication for a configured list of denied users.

You can use it for any file transfer service.

Note

Add this authentication method as the first one in the list of active authentication methods to make sure the users are not authenticated earlier by other authentication methods.

10.11.2. name

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable short text used to identify this method.

10.11.3. description

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable text that describes the purpose of this authentication method.

10.11.4. type

Default value:

''

Optional:

No

From version:

2.10.0

Values:

  • application - Application accounts.

  • os - Accounts authenticated by the OS.

  • http - HTTP (unsecured).

  • ip-time-ban - Ban an IP address for a time interval.

  • deny-username - Deny authentication based on usernames.

  • anonymous - Anonymous account authentication.

  • ldap - Authenticate against an LDAP server.

  • local-file - Authenticate the accounts from a separate local file.

  • radius - Authenticate via a RADIUS server.

  • entra-id - Microsoft Entra ID

  • google-identity - Google Identity

Description:

This option specifies the type of the method. Each type has a set of specific configuration options

10.11.5. usernames

Default value:

''

Optional:

Yes

Values:

  • Comma-separated list of usernames.

From version:

3.0.0

Description:

Comma-separated list of usernames denied by this authentication method.

The check is case-insensitive.

Usernames should be defined in lower-case.

This list is not used to deny access to the Web Manager console.

10.11.6. administrators

Default value:

''

Optional:

Yes

Values:

  • Comma-separated list of names.

From version:

5.12.0

Description:

Comma-separated list of administrator names denied by this authentication method.

The check is case-insensitive.

Usernames should be defined in lower-case.

This list is not used to deny access to the file transfer services.

Leave it empty to allow any username to authenticate as administrators. The value of administrators =` in the INI file means that administrators are explicitly defined and that you don't want to block any admin.

Note

When the administrators configuration option is not defined at all inside the .INI configuration file, not even as an empty value, the value from the usernames configuration option is used instead. When you don't have administrators = in the INI file, it means that this is a pre 5.12 configuration file and it is automatically migrated so that the behaviour for 5.12 is similar to that of the older versions.

10.10. RADIUS
10.12. Banning IP addresses