topic Re: ftponly user in Operating System - HP-UX

ftponly user

himacs — Fri, 25 Sep 2009 19:55:23 GMT

Hi Admins,

I have created a user only for ftp access ,no shell access.Its worked fine.
But when i trying to ssh got below message.

>ssh pavan@UAEDXBPDCAPPP01
The authenticity of host 'uaedxbpdcappp01 (10.11.10.15)' can't be established.
RSA key fingerprint is d5:26:c4:f0:7e:7c:e4:dc:da:bd:7e:64:a0:6b:26:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'uaedxbpdcappp01' (RSA) to the list of known hosts.
Password:
Password:
Last login: Sat Sep 26 00:42:29 2009 from UAEDXBPDCAPPP01
/usr/bin/false: No such file or directory
Connection to UAEDXBPDCAPPP01 closed.

why this showing
Please suggest

regards
himacs

Re: ftponly user

Steven Schweda — Fri, 25 Sep 2009 21:03:32 GMT

> I have created a user only for ftp access
> ,no shell access. [...]

So why would you expect SSH to work using
an FTP-only account? What do you think that
"only" means?

"SSH" = "Secure SHell".

"no shell access"
"ssh"

Think about it.

Re: ftponly user

himacs — Fri, 25 Sep 2009 23:50:55 GMT

Hi Steven,

Actually my concern is abt password.If anybody tries the ssh with the same user,is there any chance password locking ,since its not accept password.

And why this showing
Please advice..

Regards
himacs

Re: ftponly user

Steven Schweda — Sat, 26 Sep 2009 02:53:27 GMT

> [...] is there any chance password locking
> [...]

Good question. It might be best to disable
SSH access (or, at least password
authentication) for this user. I know
nothing, but I'd guess that this could be
done in the server's SSH config files. It
might also be possible in the user's SSH
client config files, but the user might be
able to FTP in a change to those.

> [...] /usr/bin/false: No such file or
> directory [...]

I don't know that, either, but it may be
simply a poor message. It sure can't use
that shell the way it can use a normal shell,
so I'd guess that it gets a failure of some
kind when it tries.

Re: ftponly user

kobylka — Sat, 26 Sep 2009 07:38:59 GMT

Hello himacs!

> I have created a user only for ftp access ,no shell access.Its worked fine

Actually, ftp only account is a misnomer. All it reduces to is a user account on the system with /usr/bin/false as shell or similar, to avoid successful login of this user using login, r*, ...

> is there any chance password locking

Yes, actually if you have enforced a max number of authentication tries (man 4 security - AUTH_MAXTRIES) ssh login failures are counted too (man 5 pam_hpsec).

> /usr/bin/false: No such file or directory

As pointed out, an ftp only user is still a valid user account but with /usr/bin/false as login shell, which will prevent access.

You can avoid ssh failed authentication attempts from being counted by denying access to specific users.

As already suggested by Steven Schweda, this can be done in the sshd_config file:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1373872

Kind regards,

Kobylka