[lug] ftp only login
charles at lunarmedia.net
charles at lunarmedia.net
Fri Feb 16 09:18:32 MST 2001
Aside from /bin/false and an app that displays a no login for a user, you
may want to give your users a bit of account management functionality
while not letting them have a shell prompt. set their shell to
/usr/bin/passwd and it will allow them to change their passwd from time to
time by attempting to log in.
-cjm
On Fri, 16 Feb 2001, Neal McBurnett wrote:
> This issue is covered in
> http://www.wu-ftpd.org/wu-ftpd-faq.html
>
> See http://www.landfield.com/wu-ftpd/ftponly/ftponly.html
> for an example script.
>
> The issue the FAQ mentions, which we've run into, is that putting the
> ftp-only user's shell in /etc/shells caused sendmail to also accept
> mail. Playing with .forward files can help, but isn't very
> clean or convenient. Can this be handled in the sendmail config,
> e.g. to ignore users with a particular shell?
>
> I would think there are potential issues with access via other
> daemons which respect /etc/shells (or getusershell()). I haven't
> really dug in to know for sure, but, but these come to mind: pop,
> imap, sshd (for scp).
>
> We also want some more restrictions on FTP users, because we want
> them to be able to maintain web sites and nothing more:
> FTP users must not have read or write permission outside their
> own directory - e.g. to read files elsewhere
> on server that are protected via http .htaccess
>
> FTP-only users would still need a way to change their passwords.
>
> Any other advice? It would be nice to make those FAQs above
> more comprehensive.
>
> Cheers,
>
> Neal McBurnett <neal at bcn.boulder.co.us> 303-538-4852
> http://bcn.boulder.co.us/~neal/ (with GPG/PGP keys)
>
>
> On Fri, Feb 16, 2001 at 07:58:18AM -0700, Deva Samartha wrote:
> > I've played with that before and put in /dev/null as a shell - would not work.
> >
> > so, just now, I made a shell script:
> >
> > cat /sbin/nologin
> > /bin/echo NO LOGIN
> >
> > which gives me:
> >
> > ftp-test's password:
> > Last login: Fri Feb 16 07:27:16 2001 from munich
> > Have a lot of fun...
> > /sbin/nologin: Exec format error
> >
> > probably need to feed it through a shell but I made it a C program and that
> > works:
> >
> > Last login: Fri Feb 16 07:39:05 2001 from munich
> > Have a lot of fun...
> > NO LOGIN
> >
> > So far so good - but now, the ftp gives me:
> >
> > Trying to connect to 192.168.5.53...
> > Password:
> > Login incorrect.
> >
> > so, somehow the ftp demon checks for a valid login shell and seems to
> > execute it and if that fails, it bombs - or, maybe it checks for a valid shell?
> >
> > - maybe I need to put the /sbin/nologin in /etc/shells...
> >
> > yupp! - that works!
> >
> > thanks!
> >
> > Samartha
> >
> >
> >
> > At 07:13 AM 2/16/01 -0700, you wrote:
> > >One way I've seen is at the end of the user's entry in /etc/passwd use an
> > >invalid shell.
> > >
> > >So:
> > >
> > >user:x:UID:GID:Name:/whatever/home/:/etc/false
> > >
> > >(this is a RH entry for xfs in one I'm looking at right now)
> > >
> > >instead of:
> > >
> > >user:x:UID:GID:Name:/whatever/home/:/bin/bash
> > >
> > >John
> > >
> > >Deva Samartha wrote:
> > >
> > > > How can I make a ftp only login so that it works with ftp access only and
> > > > every other service under that login is disabled?
> > > >
> > > > S.
> > > >
> > > > _______________________________________________
> > > > Web Page: http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > >_______________________________________________
> > >Web Page: http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
More information about the LUG
mailing list