[lug] ftp only login

Neal McBurnett nealmcb at avaya.com
Fri Feb 16 08:28:24 MST 2001


This issue is covered in
	http://www.wu-ftpd.org/wu-ftpd-faq.html

See http://www.landfield.com/wu-ftpd/ftponly/ftponly.html
for an example script.

The issue the FAQ mentions, which we've run into, is that putting the
ftp-only user's shell in /etc/shells caused sendmail to also accept
mail.  Playing with .forward files can help, but isn't very
clean or convenient.  Can this be handled in the sendmail config,
e.g. to ignore users with a particular shell?

I would think there are potential issues with access via other
daemons which respect /etc/shells (or getusershell()).  I haven't
really dug in to know for sure, but, but these come to mind: pop,
imap, sshd (for scp).

We also want some more restrictions on FTP users, because we want
them to be able to maintain web sites and nothing more:
        FTP users must not have read or write permission outside their
                own directory - e.g. to read files elsewhere
                on server that are protected via http .htaccess

FTP-only users would still need a way to change their passwords.

Any other advice?  It would be nice to make those FAQs above
more comprehensive.

Cheers,

Neal McBurnett <neal at bcn.boulder.co.us>  303-538-4852
http://bcn.boulder.co.us/~neal/      (with GPG/PGP keys)


On Fri, Feb 16, 2001 at 07:58:18AM -0700, Deva Samartha wrote:
> I've played with that before and put in /dev/null as a shell - would not work.
> 
> so, just now, I made a shell script:
> 
>   cat /sbin/nologin
> /bin/echo NO LOGIN
> 
> which gives me:
> 
> ftp-test's password:
> Last login: Fri Feb 16 07:27:16 2001 from munich
> Have a lot of fun...
> /sbin/nologin: Exec format error
> 
> probably need to feed it through a shell but I made it a C program and that 
> works:
> 
> Last login: Fri Feb 16 07:39:05 2001 from munich
> Have a lot of fun...
> NO LOGIN
> 
> So far so good - but now, the ftp gives me:
> 
> Trying to connect to 192.168.5.53...
> Password:
> Login incorrect.
> 
> so, somehow the ftp demon checks for a valid login shell and seems to 
> execute it and if that fails, it bombs - or, maybe it checks for a valid shell?
> 
> - maybe I need to put the /sbin/nologin in /etc/shells...
> 
> yupp! - that works!
> 
> thanks!
> 
> Samartha
> 
> 
> 
> At 07:13 AM 2/16/01 -0700, you wrote:
> >One way I've seen is at the end of the user's entry in /etc/passwd use an
> >invalid shell.
> >
> >So:
> >
> >user:x:UID:GID:Name:/whatever/home/:/etc/false
> >
> >(this is a RH entry for xfs in one I'm looking at right now)
> >
> >instead of:
> >
> >user:x:UID:GID:Name:/whatever/home/:/bin/bash
> >
> >John
> >
> >Deva Samartha wrote:
> >
> > > How can I make a ftp only login so that it works with ftp access only and
> > > every other service under that login is disabled?
> > >
> > > S.
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list