Date: Wed, 31 Jul 2002 08:29:30 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Phil Gates <p_gates@fuse.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ftp only login Message-ID: <20020731072930.GA36763@happy-idiot-talk.infracaninophi> In-Reply-To: <002801c2380d$14408c20$5d7e880a@zoomtown.com> References: <002801c2380d$14408c20$5d7e880a@zoomtown.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 30, 2002 at 05:07:14PM -0400, Phil Gates wrote:
> I need to allow a user to login to ftp but not login in an other
> way. Does anybody know how I can do this. I was told to change the
> shell to some file such as /dev/null so the user would have no shell
> to login to. I changed the /etc/passwd file to do this. When I try
> to login I was still able to login., do I need to change any other
> files?
You're on the right track, but not all the way there. You need to do
two things:
i) Don't edit /etc/passwd --- edit /etc/master.passwd When you're
done editing, be sure to rebuild the pwd.db password database
files:
pwd_mkdb -p /etc/master.passwd
The /etc/passwd file is generated from the /etc/master.passwd
file by that command. If you use vipw(1) to edit the password
data the pwd_mkdb stuff is all done for you automatically.
ii) In order to access the ftpd(8) service on your machine, the man
page says:
4. The user must have a standard shell returned by
getusershell(3).
Which means that the shell you give to the user must be added to
the /etc/shells file. There is a very handy command
/sbin/nologin (see nologin(8)) which politely tells the user to
"go away", and is designed for this very purpose. However, it's
used for all sorts of system accounts in /etc/passwd already and
adding it to /etc/shells is probably asking for trouble.
So you need to do something like the following:
cp /sbin/nologin /usr/local/sbin/nologin
echo /usr/local/sbin/nologin >> /etc/shells
vipw
> Or is there a different way to keep a user from only login in as a
> ftp client. ?
To *prevent* a user from using the ftpd service on a machine, simply
add their username to the /etc/ftpusers file.
The other important trick available with FreeBSD's ftpd is to add the
username to the /etc/ftpchroot file, or the set the ftp-chroot
capability in /etc/login.conf for the user's login class. In this
case, the user will be chroot(2)-ed to their home directory when they
use ftp. ftpd(8) has the details.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020731072930.GA36763>