SUMMARY: Not anonymous ftp

From: Marcus Filipsson (marcus@sun.ling.lu.se)
Date: Mon Jun 12 1995 - 07:35:34 CDT


How to achieve an ftp only account (not anonymous)
--------------------------------------------------

ORIGINAL POST (more or less):

Does anybody know of a way to set up a user account for ftp access only, and not rlogin etc? No, I don't mean ANONYMOUS ftp, I mean ftp accounts with passwords for leaving stuff for trusted users to ftp from other sites.

=========================
SOME ANSWERS

Thank you:

beb@mpe-garching.mpg.de
chrisl@tpc.bt.co.uk
henrik@ida.his.se
bandired@eel.st.usm.edu

---
i'm sure this can be done with wu-ftpd. This package has *LOTS* of
restricting/filtering/customizing possibilities for ftp-access.
                                                                       
---
Set the users shell to one which does not exsist (/bin/nosuchshell for
example).
Add /bin/nosuchshell to /etc/shells (On SunOS 4.x systems)

Create /bin/nosuchshell and either leave it empty (make sure that you make it read only) or make it a shell script that echos a message to the user then exits.

This works because FTP only checks that the users shell is valid, but does not actually use it. Telnet etc. use the shell and will therefore fail.

---

Two possible ways to set up ftp-logins: 1. ftp users In system passwd: (only used to show the right username in ls and so on) blocked passwd, and /bin/false. in ~ftp/etc/passwd: valid passwd. The user first logs in as anonymous (or ftp) and then user the USER command to change uid.

2. Make a fake shell from /bin/false. ln /bin/false /bin/ftpOnly and add it to /etc/shells

then set up the user as usual, with /bin/ftpOnly as shell. watchout: this doesn't prevent the user from using XDM to login. To prevent this you has to check for SHELL=/bin/ftpOnly in the XDM startup script.

=================

MY SOLUTION:

This was based on the answers I received (thanks!) and the doc for wu-ftd.

I use wu-ftpd as ftp daemon (available in many ftp sites), and with it you can create guest groups in the following manner:

1. Create a group in /etc/group and call it "ftponly" (for example)

2. Create an ordinary user called "guest" or something in /etc/passwd, belonging to abovementioned group

3. Log in as guest and set a password

4. In "ftpaccess" (the wu-ftpd access control file, perhaps located in /usr/local/etc) create a line

guestgroup ftponly

5. Edit /etc/passwd and change home directory from "/home/guest" or whatever to

/home/guest/./

where the period "." makes the entry into two fields. The first field is the argument to the chroot() call. The second field is the home directory relative to this "new" root. I've choosen the same location.

6. Edit /etc/passwd and set shell to

/bin/ftponly

7. Create an empty read-only file /bin/ftponly

8. Create /etc/shells and add

/bin/csh /bin/sh /bin/ftponly

I don't know if this is possible with the bundled ftp daemons, but wu-ftpd is recommended to use anyway, because of higher security.

You could achieve an ftp only account also by just replacing the shell of a user in /etc/passwd with /bin/ftponly (remember to create it and add it to /etc/shells) but that wouldn't execute the chroot command.

Marcus Filipsson

======================================================== Marcus Filipsson Research Engineer Email: marcus.filipsson@ling.lu.se WWW: http://www.ling.lu.se/documents/persons/Marcus.html Tel: +46-(0)46-108449 Fax: +46-(0)46-104210 Lund University, Dept. of Linguistics Helgonabacken 12, S-223 62 Lund, SWEDEN ========================================================



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:26 CDT