topic Re: FTP only user? in Operating System - HP-UX

FTP only user?

Brian Atkins — Thu, 16 Nov 2000 13:28:17 GMT

Is there a method for creating a user that can only FTP, not rlogin, telnet or anything else?

By the way, since it seems to be an issue, I assign points to any answers I get...

Re: FTP only user?

Tony Constantine_1 — Thu, 16 Nov 2000 13:39:09 GMT

The way i've setup user ftp only is by adding the exit command in the user's /home/username/.profile script

This disconnects the user when they try to login but allows ftp access.

Re: FTP only user?

Lasse Knudsen — Thu, 16 Nov 2000 13:41:43 GMT

I dont know if this could be done but my first guess is to assign a shell for the user that is no good e.g. /bin/false.

Just remember to add it to /etc/shells.

Re: FTP only user?

Albert E. Whale, CISSP — Thu, 16 Nov 2000 13:53:48 GMT

Brian,

I recommend the use of the /bin/false shell.

This allows you to create the user, the password (and any potential updates for the password), and not allow them to log onto the server.

You get the best of all worlds, User/Password authentication and no access.

Re: FTP only user?

Brian Atkins — Thu, 16 Nov 2000 14:05:19 GMT

Thanks, I used both methods.

Re: FTP only user?

Tony Constantine_1 — Thu, 16 Nov 2000 14:08:31 GMT

Brian

another way to deny telnet access is to use the /var/adm/inetd.sec file

telnet deny 10.40.220.100 #deny only this ip address

telnet deny 10.40.*.* #deny 10.40 range

do a man on inetd

Re: FTP only user?

Albert E. Whale, CISSP — Thu, 16 Nov 2000 14:26:35 GMT

Brian,

FYI - the .profile will never be executed if you use the /bin/false option.

I just wanted to save you a little effort in your administration of the ftp user.

Hope that helps.

Re: FTP only user?

Lasse Knudsen — Thu, 16 Nov 2000 14:37:44 GMT

Using .profile is not a good idea. It is still (with a little luck) possible to interrupt the .profile execution using ctrl-c and then get a shell.

You are still able to use 'remsh' and bypass .profile execution.

Try this:

remsh /usr/bin/X11/xterm -display :0.0

And you will get a nice window with a shell prompt- I do not think that was what you wanted.

Use /bin/false - method

Re: FTP only user?

James R. Ferguson — Thu, 16 Nov 2000 16:43:57 GMT

Brian:

With regard to Tony & Allan's comments about using the "profile" exit, you can harden your profile against shell-out by adding the following trap at the very beginning:

trap "" 1 2 3

In the case you are trying to achieve, I would choose the substitution of /usr/bin/false in place of a standard shell specification in /etc/passwd. You do not need to add this to /etc/shells.

Regards!

...JRF...

Re: FTP only user?

Paula J Frazer-Campbell — Thu, 16 Nov 2000 20:44:29 GMT

Hi
The .profile option is not as secure as /usr/bin/false ie as previously mentioned it can be bypassed or broken out.

Do not give them a shell :-

ftpuser:*:200:10:FTP User:/home/ftp:/usr/bin/false

HTH

Paula