I’ve had to, from time-to-time, create users on Linux boxes that need to connect via IMAP to get email, but they can’t SSH or login to the server.
There are certainly more elaborate ways to solve this problem, but here’s my ghetto solution.
When creating the user set their shell to /bin/false.
useradd --shell /bin/false gack
Now when gack tries to SSH into the server, he can’t get in. But gack can get email via IMAP using SSL to encrypt gack’s password. The SSL part isn’t technically necessary, but only a fool would be sending plain text passwords around like that.
I remember researching this and I initially I thought the –disabled-login on useradd would do the trick, but no. It’s strange, on my Debian server, the man page for useradd doesn’t even mention –disabled-login, but it’s totally an option.
The problem is that while –disabled-login does in fact disable the login, it does so by putting an ! in the /etc/shadow file for the user’s password. If the user’s password in the /etc/shadow file is an exclamation point, they can’t login, but they also can’t get email either, since they’re account is disabled. It makes sense.
If however, you set the user’s shell to /bin/false, she can get email but can’t login via SSH.
And if you forget the –shell parameter when calling useradd, you can just edit the /etc/passwd file and set it there.