From owner-freebsd-security Tue Feb 27 22:21:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id E480337B719 for ; Tue, 27 Feb 2001 22:21:10 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id HAA32615; Wed, 28 Feb 2001 07:21:05 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9C98D1.C6919F6@eboa.com> Date: Wed, 28 Feb 2001 07:21:05 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Carroll Kong Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <4.2.2.20010228002521.00c58340@netmail.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Carroll Kong wrote: > > > ... > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > >counting? - I realized that the client was right after all. He could > >not log in indeed. Due to /sbin/nologin. > > > >When using regular ftpd. Using ProFTPd no problem. > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > That is odd. The reason why ftpd does not work is because........ man ftpd > shows > > 4. The user must have a standard shell returned by > getusershell(3). > > So, man getusershell shows > > The getusershell() function returns a pointer to a legal user shell as > defined by the system manager in the file /etc/shells. If /etc/shells is > unreadable or does not exist, getusershell() behaves as if /bin/sh and > /bin/csh were listed in the file. > > This is very odd, unless I am forgetting something I did, I JUST > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > authorized" or something like that, and ftpd lets them in happily. Same > user name and all. Please look it over, I am outright positive it > works! (ok, maybe 99.99999% sure). What is the error message? User > denied? Check man ftpd for that list of "reasons why ftpd would tell your > user to go away". You tellin' me. Here: nl:~/bin# tail -n 1 /etc/passwd tunicum:*:2002:2002:BWH Ontwerpers:/home/intraction/tunicum:/usr/local/bin/bash Works. Yet: nl:~/bin# tail -n 1 /etc/passwd tunicum:*:2002:2002:BWH Ontwerpers:/home/intraction/tunicum:/sbin/nologin Does not. As to error msgs. Well...: nisser:/home/www/Slak$ ftp tunicum.nl Connected to tunicum.nl. 220 nl.nisser.com FTP server (Version 6.00LS) ready. Name (tunicum.nl:roelof): tunicum 530 User tunicum access denied. ftp: Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. nisser:/home/www/Slak$ The 530 should be indicative enough. But for the non-believers I could be convinced to draw a diagram ;). Present company excepted, of course. Not that I would not be willing to draw a diagram for you, mind; just that I think/hope it would not be needed! But, for the record, back to step 1: nisser:/home/www/Slak$ ftp tunicum.nl Connected to tunicum.nl. 220 nl.nisser.com FTP server (Version 6.00LS) ready. Name (tunicum.nl:roelof): tunicum 331 Password required for tunicum. Password: 230 User tunicum logged in, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 14 -rw------- 1 2002 2002 371 Feb 28 00:21 .bash_history -rw-r--r-- 1 2002 2002 100 Feb 26 20:58 .bash_profile -rw-r--r-- 1 2002 2002 628 Feb 26 20:58 .cshrc -rw-r--r-- 1 2002 2002 299 Feb 26 20:58 .login -rw-r--r-- 1 2002 2002 160 Feb 26 20:58 .login_conf -rw------- 1 2002 2002 371 Feb 26 20:58 .mail_aliases -rw-r--r-- 1 2002 2002 331 Feb 26 20:58 .mailrc drwxr-xr-x 2 2002 2002 512 Feb 26 20:58 .mutt -rw-r--r-- 1 2002 2002 722 Feb 26 20:58 .profile -rw------- 1 2002 2002 276 Feb 26 20:58 .rhosts -rw-r--r-- 1 2002 2002 852 Feb 26 20:58 .shrc drwx------ 4 2002 2002 512 Feb 26 20:58 Mail drwxr-xr-x 2 2002 2002 512 Feb 26 20:58 vmail drwxr-xr-x 4 2002 2002 512 Feb 28 00:12 www 226 Transfer complete. ftp> bye 221 Goodbye. nisser:/home/www/Slak$ As you can see, a lot more ASCII than before. But don't let me interupt you. You were saying "maybe 99.99999% sure"... . Ok, so how about that 0.00001% you were not sure about? ;) I agree, this isn't supposed to happen. But that's the story of my life. Yet I *am* alife! So, there you go. Roelof PS this is also a boon I would like to ask of the powers that be. I.e. to do 'as if' the "tunicum.nl" 'is it'. I.e. not to give the reverse DNS but just accept on face value. Marks love that kind of thing ;). To put a fine point on it: Connected to tunicum.nl. 220 nl.nisser.com ought to read: 220 tunicum.nl (yada, yada) Given the right startup parameters, naturally. Just to appease fine honed sensitivities. PPS in case that it matters... I'm using :ftpchrooted: or some sort of thing in login.conf for these classes. -- It's a dog's world @ http://cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message