Date: Wed, 31 Jul 2002 08:29:30 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Phil Gates <p_gates@fuse.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ftp only login Message-ID: <20020731072930.GA36763@happy-idiot-talk.infracaninophi> In-Reply-To: <002801c2380d$14408c20$5d7e880a@zoomtown.com> References: <002801c2380d$14408c20$5d7e880a@zoomtown.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 30, 2002 at 05:07:14PM -0400, Phil Gates wrote: > I need to allow a user to login to ftp but not login in an other > way. Does anybody know how I can do this. I was told to change the > shell to some file such as /dev/null so the user would have no shell > to login to. I changed the /etc/passwd file to do this. When I try > to login I was still able to login., do I need to change any other > files? You're on the right track, but not all the way there. You need to do two things: i) Don't edit /etc/passwd --- edit /etc/master.passwd When you're done editing, be sure to rebuild the pwd.db password database files: pwd_mkdb -p /etc/master.passwd The /etc/passwd file is generated from the /etc/master.passwd file by that command. If you use vipw(1) to edit the password data the pwd_mkdb stuff is all done for you automatically. ii) In order to access the ftpd(8) service on your machine, the man page says: 4. The user must have a standard shell returned by getusershell(3). Which means that the shell you give to the user must be added to the /etc/shells file. There is a very handy command /sbin/nologin (see nologin(8)) which politely tells the user to "go away", and is designed for this very purpose. However, it's used for all sorts of system accounts in /etc/passwd already and adding it to /etc/shells is probably asking for trouble. So you need to do something like the following: cp /sbin/nologin /usr/local/sbin/nologin echo /usr/local/sbin/nologin >> /etc/shells vipw > Or is there a different way to keep a user from only login in as a > ftp client. ? To *prevent* a user from using the ftpd service on a machine, simply add their username to the /etc/ftpusers file. The other important trick available with FreeBSD's ftpd is to add the username to the /etc/ftpchroot file, or the set the ftp-chroot capability in /etc/login.conf for the user's login class. In this case, the user will be chroot(2)-ed to their home directory when they use ftp. ftpd(8) has the details. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020731072930.GA36763>