LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-13-2007, 08:45 PM   #1
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Rep: Reputation: 37
Do FTP users must have a login shell?


Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.
 
Old 11-13-2007, 10:31 PM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I have the same experience. I don't know what the reason is why you're asking it.

If you want to prevent remote access by certain users, you can use ssh and disable telnet. With SSH, you can allow specific users access to the box.
If you want to prevent local access, I don't know a solution.
 
Old 11-13-2007, 10:54 PM   #3
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,247
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
if security is a concern, you should use sftp or at the very least chroot the ftp..

http://www.howtoforge.com/mysecuresh...tp_debian_etch
MySecureShell makes SFTP available for users that do not have shell access so that these users do not have to use the insecure FTP protocol anymore.


if you want NO system users you can configure ftp hosting with mysql virtual users for auth http://www.howtoforge.com/proftpd_mysql_virtual_hosting
 
Old 11-13-2007, 11:33 PM   #4
dustymugs
LQ Newbie
 
Registered: Dec 2005
Distribution: slackware, lfs
Posts: 13

Rep: Reputation: 0
When I need to provide ftp access without any system accounts, I use pure-ftpd (google it) with virtual users enabled.
 
Old 11-14-2007, 02:10 AM   #5
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 32
Quote:
Originally Posted by tanveer View Post
Hi all,
Need your help again. Is it possible to create an ftp user without giving him a login shell? Because when I configure a ftp account without shell he cant access the shared location. As soon as I change the shell to a valid shell then it works.
Thanks.
What do you really want to do with your ftp users? Do you want them to access only the box using ftp?

You might consider this setup.

1. Disable telnet
2. Enable ssh to specific users only and group only.
3. Jail ftp users to their home directory only.

Even they have a login shell, they can access only the box via ftp.
 
Old 11-14-2007, 02:30 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
What happens if you change the default shell to "/bin/false"?

What happens if you create the user account without a home directory, and disable the account. Does this prevent logins but allow ftp access?

It may be more secure however if local users do have a home directory and you opt to have them chrooted there.

Last edited by jschiwal; 11-14-2007 at 02:47 AM.
 
Old 11-14-2007, 03:11 AM   #7
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Update:
I assume that your main concern is not allowing regular logins for ftp users with accounts (non-anonymous).

I configured vsftp on my laptop. I already had added a user "testuser". I changed the home directory entry to /srv/ftp/users. I created this directory with "a=rwxt" permissions.
Then I modified this account disabling it (the password entry starts with an exclamation point in /etc/shadow). FTP logins are not allowed then.

Next I enabled the account but changed the default shell entry to /bin/false. FTP logins are possible for "testuser". If testuser tries to log in, it will log out right away.
 
Old 11-14-2007, 10:09 AM   #8
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 525

Original Poster
Rep: Reputation: 37
Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?

Last edited by tanveer; 11-14-2007 at 10:10 AM.
 
Old 11-14-2007, 01:00 PM   #9
RaelOM
Member
 
Registered: Dec 2004
Posts: 110

Rep: Reputation: 16
Quote:
Originally Posted by tanveer View Post
Thanks all for answering.
You are right jschiwal, Why should I give a ftp user login shell where his only concern is to download/upload file. I m also using vsftpd and changed the directory of the ftp user to /usr/local/apache2/htdocs so that he can upload/download files for the web project. I also setup chroot jail for the user.
Now when I create this user with a bogus shell ftp doesn't work. Even if after creating the user with valid shell then if I change the shell entry in /etc/passwd to a bogus one then ftp doesn't work.
should I give the directory permission to a=rwxt and change the shell in /etc/passwd ?

Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.

That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.
 
Old 11-14-2007, 07:26 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
I used /bin/false for the default shell, and tested it. It worked for me. Try using "sudo /usr/sbin/usermod -s /bin/false <username>" and run your test again. Make sure that the account is enabled: "sudo /usr/sbin/usermod -U <username>". About the permissions, the users need to have write access to the partition. You could use group membership instead to control access. This could prevent a local regular user from accessing files on /usr/local/apache2/htdocs. This part is a regular permissions issue. You can also use acls to control access. The commands "setfacl" and "getfacl" can be used for this. The filesystem needs to be a native linux type to allow this. The sticky bit prevents one user from deleting the files created by another user. Maybe that isn't what you want. It is how the /tmp directory is set up.

Two things that can cause a problem are your selinux or apparmor configuration. If you are using RHEL or FC that is something to check.
Also check /etc/hosts.deny and /etc/hosts.allow and see if vsftp is one of the controlled services. Since PAM is used for authentication, that could be involved as well, however if regular authentication seems to work, I doubt if PAM or /etc/hosts.{allow,deny} would be the cause.

Last edited by jschiwal; 11-14-2007 at 07:34 PM.
 
Old 11-14-2007, 07:47 PM   #11
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Quote:
Originally Posted by RaelOM View Post
Set ftp shell to /bin/passwd (Whatever your passwd binary exists) and place that in /etc/shells.

That should allow them to telnet to the host to CHANGE the password if they need to while preventing them an interactive login shell. This will still allow ftp access, and you may need to disable root jailing or add the ftp user to the chroot user config.
I hadn't thought about /bin/passwd. I haven't tested it but the "telnet" part is a terrible idea. Maybe you meant to say ssh. Make an association in your mind: telnet server <-> evil.

---

Update: I did change the default shell for "testuser" to /usr/bin/passwd and accessed my laptop via ssh. It worked. I was able to change the password. After the change, the user is logged off.
Code:
sudo /usr/sbin/usermod -s /usr/bin/passwd testuser
You will want to add the users to "AllowUsers" in /etc/ssh/sshd_config or use "AllowGroups" instead to control ssh access.

Last edited by jschiwal; 11-14-2007 at 07:50 PM.
 
Old 11-14-2007, 09:15 PM   #12
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Wow, clever.
 
Old 11-14-2007, 09:38 PM   #13
javaroast
Member
 
Registered: Apr 2005
Posts: 131

Rep: Reputation: 19
For ftp users you can use nologin as the shell usually /sbin/nologin. For sftp or scp I've used rssh shell with good results

http://codeprodigytech.com/rssh/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
X11 auto login and disable users shell - tricky business drkstr Slackware 10 08-29-2006 01:54 PM
FTP Server Up and running... how do I hide ftp users from local login screen? joe1031 Mandriva 2 03-18-2005 04:24 PM
how to - ftp user with no login shell hnad Red Hat 3 04-13-2004 03:22 AM
Connection, login and upload files to ftp server via shell script Paulo Ges Linux - Networking 2 02-21-2004 01:01 PM
how can I restrict ftp users listing files from a pure-ftp server adrianmak Linux - Networking 2 12-31-2002 08:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration