My Life doomed just coz VSFTPD ---Help
 

I try to create a vsftpd on debain machine.
Obviouly I am not willing those ftp users are able to shell my machine. therefor I create those ftp accounts by

useradd -m -c "xxxxx" -d /home/xxxxx -s /bin/false xxxxx

however those account never work,, and vsftp logs only showing me like that
Thu Apr 5 11:38:32 2007 [pid 13296] [ftpuser] FAIL LOGIN: Client "172.16.201.21


Once I use usermod to enable the shell access on those account, it works.

Such .$%£$%$£%$£...... May be I am stupid!!

I do need some help..

did you configure your vsftpd.conf?

yes of coz

please see my vsftpd.conf below

1 # daemon started from an initscript.
2 listen=YES
3 #
4 # Run standalone with IPv6?
5 #listen_ipv6=YES
6 #
7 # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
8 anonymous_enable=no
9 #
10 # Uncomment this to allow local users to log in.
11 local_enable=YES
12 #
13 # Uncomment this to enable any form of FTP write command.
14 write_enable=YES
15 #
16 # Default umask for local users is 077. You may wish to change this to 022,
17 # if your users expect that (022 is used by most other ftpd's)
18 local_umask=022
19 #
20 # Uncomment this to allow the anonymous FTP user to upload files. This only
21 # has an effect if the above global write enable is activated. Also, you will
22 # obviously need to create a directory writable by the FTP user.
23 #anon_upload_enable=YES
24 #
25 # Uncomment this if you want the anonymous FTP user to be able to create
26 # new directories.
27 #anon_mkdir_write_enable=YES
28 #
29 # Activate directory messages - messages given to remote users when they
30 # go into a certain directory.
31 dirmessage_enable=YES
32 #
33 # Activate logging of uploads/downloads.
34 xferlog_enable=YES
35 #
36 # Make sure PORT transfer connections originate from port 20 (ftp-data).
37 connect_from_port_20=YES
38 #
39 # If you want, you can arrange for uploaded anonymous files to be owned by
40 # a different user. Note! Using "root" for uploaded files is not
41 # recommended!
42 #chown_uploads=YES
43 #chown_username=whoever
44 #
45 # You may override where the log file goes if you like. The default is shown
46 # below.
47 xferlog_file=/var/log/vsftpd.log
48 #
49 # If you want, you can have your log file in standard ftpd xferlog format
50 #xferlog_std_format=YES
51 #
52 # You may change the default value for timing out an idle session.
53 #idle_session_timeout=600
54 #
55 # You may change the default value for timing out a data connection.
56 #data_connection_timeout=120
57 #
58 # It is recommended that you define on your system a unique user which the
59 # ftp server can use as a totally isolated and unprivileged user.
60 #nopriv_user=ftpsecure
61 #
62 # Enable this and the server will recognise asynchronous ABOR requests. Not
63 # recommended for security (the code is non-trivial). Not enabling it,
64 # however, may confuse older FTP clients.
65 #async_abor_enable=YES
66 #
67 # By default the server will pretend to allow ASCII mode but in fact ignore
68 # the request. Turn on the below options to have the server actually do ASCII
69 # mangling on files when in ASCII mode.
70 # Beware that on some FTP servers, ASCII support allows a denial of service
71 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
72 # predicted this attack and has always been safe, reporting the size of the
73 # raw file.
74 # ASCII mangling is a horrible feature of the protocol.
75 #ascii_upload_enable=YES
76 #ascii_download_enable=YES
77 #
78 # You may fully customise the login banner string:
79 ftpd_banner=Welcome to NanoFTP service.
80 #
81 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
82 # useful for combatting certain DoS attacks.
83 #deny_email_enable=YES
84 # (default follows)
85 #banned_email_file=/etc/vsftpd.banned_emails
86 #
87 # You may restrict local users to their home directories. See the FAQ for
88 # the possible risks in this before using chroot_local_user or
89 # chroot_list_enable below.
90 chroot_local_user=YES
91 #
92 # You may specify an explicit list of local users to chroot() to their home
93 # directory. If chroot_local_user is YES, then this list becomes a list of
94 # users to NOT chroot().
95 #chroot_list_enable=YES
96 # (default follows)
97 #chroot_list_file=/etc/vsftpd.chroot_list
98 #
99 # You may activate the "-R" option to the builtin ls. This is disabled by
100 # default to avoid remote users being able to cause excessive I/O on large
101 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
102 # the presence of the "-R" option, so there is a strong case for enabling it.
103 ls_recurse_enable=YES
104 #
105 #
106 # Debian customization
107 #
108 # Some of vsftpd's settings don't fit the Debian filesystem layout by
109 # default. These settings are more Debian-friendly.
110 #
111 # This option should be the name of a directory which is empty. Also, the
112 # directory should not be writable by the ftp user. This directory is used
113 # as a secure chroot() jail at times vsftpd does not require filesystem
114 # access.
115 secure_chroot_dir=/var/run/vsftpd
116 #
117 # This string is the name of the PAM service vsftpd will use.
118 pam_service_name=vsftpd
119 #
120 # This option specifies the location of the RSA certificate to use for SSL
121 # encrypted connections.
122 rsa_cert_file=/etc/ssl/certs/vsftpd.pem

Well like you said, once you enable shell access, then FTP works for the specific user. This is because it is set up so when a user authenticates him or herself, it goes to their /home/username. So it looks like you cannot use the -s /bin/false.

Hi there

I just want those FTP users actually been jailed in their home directory, meanwhile they not allow to access my box through shell by their ftp login details


Thank you

jus found the answer by myself.... I forget to put /bin/false in the /etc/shells