Howdy

In a bit of a bind. I'm setting up VSFTPD on rh 9 and I want to add users so they can access the ftp but not login to the shell.

So I've setup a user account, added it to the ftp group, set the login shell to bash/false.

All good, they can't login to the shell. But they can't login to the ftp either.

If I switch the login shell back to bin/bash they can login to the ftp server. But then they can also login with shell so I'm kinda stuffed.

What am I missing?

Thanks

A newbie reply, of course it will show.

Sorry, this information is not what you want, but thought it might lead to something useful.

I think the login must be granted. But you can put a startup file to log them out (echo "exit" >> $HOME/.bashrc) , or try not granting /bin/bash as the startup shell (a startup shell is not needed except when the users is in a telnet, rsh, or local login, ftp doesn't need a shell prompt like bash)

I've found the opposite of what you wanted (a way to deny users ftp access). A list of users who may not login through the ftp command is contained in /etc/ftpusers (search documentation for ftpusers)

I found one idea on the internet, where the list of users in /etc/passwd (field 1 or username field whereever that is, assumed fields are seperated by colons)

cut -d: -f1 /etc/passwd > /tmp/users.txt && grep -v 'GOODUSER' < /tmp/users.txt > /etc/ftpusers && rm /tmp/users.txt

# All users will be placed into /etc/ftpusers, except the user allowed to login via ftp.
# The effect is to have all users denied ftp login except the user you specify as
# GOODUSER
# the implementation was in a shell script running in a crontab every day, to
# automatically update the /etc/ftpusers, in case additions are made.

Here's what it looks like:

root@localhost etc]# cut -d: -f1 /etc/passwd > /tmp/users.txt && grep -v 'GGD' < /tmp/users.txt > /etc/ftpusers && rm -f /tmp/users.txt
[root@localhost etc]# ftp localhost
ftp: connect: Connection refused
ftp>

and removing root from the list of users in /etc/ftpusers , allows root to login.

ehehe

oook not quite what I was looking for but anyway

I got it all sorted anyway. So from one newb to another:

Create a file called '/bin/nologin' and chmod to 755. In it add:
#!/bin/bash
echo You don't have shell access here
echo This session will end in 15 seconds
echo Goodbye
sleep 15

Add it to /etc/shells

Change the user's shell to it. When they try and shell they will get that message before being disconnected but they will still be able to FTP.

All good.

Hey! nice and elegant solution (you could also deny SSH and Telnet access altogether, but probably that's not what you wanted).