Date: Wed, 31 Jul 2002 09:46:57 -0400 (EDT) From: Jerry McAllister <jerrymc@clunix.cl.msu.edu> To: m.seaman@infracaninophile.co.uk (Matthew Seaman) Cc: p_gates@fuse.net (Phil Gates), freebsd-questions@FreeBSD.ORG Subject: Re: ftp only login Message-ID: <200207311346.g6VDkwL10472@clunix.cl.msu.edu> In-Reply-To: <20020731072930.GA36763@happy-idiot-talk.infracaninophi> from "Matthew Seaman" at Jul 31, 2002 08:29:30 AM
next in thread | previous in thread | raw e-mail | index | archive | help
> > On Tue, Jul 30, 2002 at 05:07:14PM -0400, Phil Gates wrote: > > > I need to allow a user to login to ftp but not login in an other > > way. Does anybody know how I can do this. I was told to change the > > shell to some file such as /dev/null so the user would have no shell > > to login to. I changed the /etc/passwd file to do this. When I try > > to login I was still able to login., do I need to change any other > > files? > > You're on the right track, but not all the way there. You need to do > two things: > > i) Don't edit /etc/passwd --- edit /etc/master.passwd When you're > done editing, be sure to rebuild the pwd.db password database files: > > pwd_mkdb -p /etc/master.passwd No No No No. Don't edit either /etc/passwd OR /etc/master.passwd directly. Use vipw(8) (/usr/sbin/vipw). It handles consistency checking, locking and updating everything - /etc/passwd, /etc/master.passwd, even including updating the passwd database and does it correctly. The rest of your information is correct. ////jerry > The /etc/passwd file is generated from the /etc/master.passwd > file by that command. If you use vipw(1) to edit the password > data the pwd_mkdb stuff is all done for you automatically. > > ii) In order to access the ftpd(8) service on your machine, the man > page says: > > 4. The user must have a standard shell returned by > getusershell(3). > > Which means that the shell you give to the user must be added to > the /etc/shells file. There is a very handy command > /sbin/nologin (see nologin(8)) which politely tells the user to > "go away", and is designed for this very purpose. However, it's > used for all sorts of system accounts in /etc/passwd already and > adding it to /etc/shells is probably asking for trouble. > > So you need to do something like the following: > > cp /sbin/nologin /usr/local/sbin/nologin > echo /usr/local/sbin/nologin >> /etc/shells > vipw > > > Or is there a different way to keep a user from only login in as a > > ftp client. ? > > To *prevent* a user from using the ftpd service on a machine, simply > add their username to the /etc/ftpusers file. > > The other important trick available with FreeBSD's ftpd is to add the > username to the /etc/ftpchroot file, or the set the ftp-chroot > capability in /etc/login.conf for the user's login class. In this > case, the user will be chroot(2)-ed to their home directory when they > use ftp. ftpd(8) has the details. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207311346.g6VDkwL10472>