From owner-freebsd-security Thu Mar 1 9: 1: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id A22E437B719 for ; Thu, 1 Mar 2001 09:01:05 -0800 (PST) (envelope-from agifford@infowest.com) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 80B5E20F16 for ; Thu, 1 Mar 2001 10:01:03 -0700 (MST) From: Aaron D.Gifford To: freebsd-security@freebsd.org Subject: RE: ftp access Date: Thu, 1 Mar 2001 10:01:44 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01030110014400.06418@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would caution folks from putting /sbin/nologin into /etc/shells in order to create FTP-only accounts. I would instead suggest you create a link to /sbin/nologin and call it something like /sbin/ftponly and put THAT shell in your /etc/shells file and use it as the shell for your FTP-only users. Why? This gives you the ability to have FTP-only users yet retain the full functionality of /sbin/nologin on other accounts (i.e. a mail-only account) that you DON'T want to grant FTP access to. Also if you're running SSH on the FTP server and you do NOT want your FTP users to be able to do port forwarding (it can be dangerous to allow unless you trust your FTP users greatly and trust that their cleartext passwords won't traverse an untrusted network) you should probably disable it in your sshd_config file. Aaron out. -- www.aarongifford.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message