LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Do FTP users must have a login shell? (https://www.linuxquestions.org/questions/linux-server-73/do-ftp-users-must-have-a-login-shell-599449/)

tanveer 11-13-2007 08:45 PM

Do FTP users must have a login shell?
 
Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.

Wim Sturkenboom 11-13-2007 10:31 PM

I have the same experience. I don't know what the reason is why you're asking it.

If you want to prevent remote access by certain users, you can use ssh and disable telnet. With SSH, you can allow specific users access to the box.
If you want to prevent local access, I don't know a solution.

farslayer 11-13-2007 10:54 PM

if security is a concern, you should use sftp or at the very least chroot the ftp..

http://www.howtoforge.com/mysecuresh...tp_debian_etch
MySecureShell makes SFTP available for users that do not have shell access so that these users do not have to use the insecure FTP protocol anymore.


if you want NO system users you can configure ftp hosting with mysql virtual users for auth http://www.howtoforge.com/proftpd_mysql_virtual_hosting

dustymugs 11-13-2007 11:33 PM

When I need to provide ftp access without any system accounts, I use pure-ftpd (google it) with virtual users enabled.

tajamari 11-14-2007 02:10 AM

Quote:

Originally Posted by tanveer (Post 2958127)
Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.

What do you really want to do with your ftp users? Do you want them to access only the box using ftp?

You might consider this setup.

1. Disable telnet
2. Enable ssh to specific users only and group only.
3. Jail ftp users to their home directory only.

Even they have a login shell, they can access only the box via ftp.

jschiwal 11-14-2007 02:30 AM

What happens if you change the default shell to "/bin/false"?

What happens if you create the user account without a home directory, and disable the account. Does this prevent logins but allow ftp access?

It may be more secure however if local users do have a home directory and you opt to have them chrooted there.

jschiwal 11-14-2007 03:11 AM

Update:
I assume that your main concern is not allowing regular logins for ftp users with accounts (non-anonymous).

I configured vsftp on my laptop. I already had added a user "testuser". I changed the home directory entry to /srv/ftp/users. I created this directory with "a=rwxt" permissions.
Then I modified this account disabling it (the password entry starts with an exclamation point in /etc/shadow). FTP logins are not allowed then.

Next I enabled the account but changed the default shell entry to /bin/false. FTP logins are possible for "testuser". If testuser tries to log in, it will log out right away.

tanveer 11-14-2007 10:09 AM

Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?

RaelOM 11-14-2007 01:00 PM

Quote:

Originally Posted by tanveer (Post 2958715)
Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?


Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.

That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.

jschiwal 11-14-2007 07:26 PM

I used /bin/false for the default shell, and tested it. It worked for me. Try using "sudo /usr/sbin/usermod -s /bin/false <username>" and run your test again. Make sure that the account is enabled: "sudo /usr/sbin/usermod -U <username>". About the permissions, the users need to have write access to the partition. You could use group membership instead to control access. This could prevent a local regular user from accessing files on /usr/local/apache2/htdocs. This part is a regular permissions issue. You can also use acls to control access. The commands "setfacl" and "getfacl" can be used for this. The filesystem needs to be a native linux type to allow this. The sticky bit prevents one user from deleting the files created by another user. Maybe that isn't what you want. It is how the /tmp directory is set up.

Two things that can cause a problem are your selinux or apparmor configuration. If you are using RHEL or FC that is something to check.
Also check /etc/hosts.deny and /etc/hosts.allow and see if vsftp is one of the controlled services. Since PAM is used for authentication, that could be involved as well, however if regular authentication seems to work, I doubt if PAM or /etc/hosts.{allow,deny} would be the cause.

jschiwal 11-14-2007 07:47 PM

Quote:

Originally Posted by RaelOM (Post 2958855)
Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.

That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.

I hadn't thought about /bin/passwd. I haven't tested it but the "telnet" part is a terrible idea. Maybe you meant to say ssh. Make an association in your mind: telnet server <-> evil.

---

Update: I did change the default shell for "testuser" to /usr/bin/passwd and accessed my laptop via ssh. It worked. I was able to change the password. After the change, the user is logged off.
Code:

sudo /usr/sbin/usermod -s /usr/bin/passwd testuser
You will want to add the users to "AllowUsers" in /etc/ssh/sshd_config or use "AllowGroups" instead to control ssh access.

Wim Sturkenboom 11-14-2007 09:15 PM

Wow, clever.

javaroast 11-14-2007 09:38 PM

For ftp users you can use nologin as the shell usually /sbin/nologin. For sftp or scp I've used rssh shell with good results

http://codeprodigytech.com/rssh/


All times are GMT -5. The time now is 01:55 AM.