HPE Community
Operating System - HP-UX
1752780 Members
6246 Online
108789 Solutions
New Discussion юеВ

FTP only user?

 
SOLVED
Go to solution
Brian Atkins
Advisor

тАО11-16-2000 05:28 AM

тАО11-16-2000 05:28 AM

FTP only user?

Is there a method for creating a user that can only FTP, not rlogin, telnet or anything else?

By the way, since it seems to be an issue, I assign points to any answers I get...
0 Kudos
Reply
9 REPLIES 9
Tony Constantine_1
Regular Advisor

тАО11-16-2000 05:39 AM

тАО11-16-2000 05:39 AM

Solution

Re: FTP only user?

The way i've setup user ftp only is by adding the exit command in the user's /home/username/.profile script

This disconnects the user when they try to login but allows ftp access.
Reply
Lasse Knudsen
Esteemed Contributor

тАО11-16-2000 05:41 AM

тАО11-16-2000 05:41 AM

Re: FTP only user?

I dont know if this could be done but my first guess is to assign a shell for the user that is no good e.g. /bin/false.

Just remember to add it to /etc/shells.

In a world without fences - who needs Gates ?
Reply
Albert E. Whale, CISSP
Honored Contributor

тАО11-16-2000 05:53 AM

тАО11-16-2000 05:53 AM

Re: FTP only user?

Brian,

I recommend the use of the /bin/false shell.

This allows you to create the user, the password (and any potential updates for the password), and not allow them to log onto the server.

You get the best of all worlds, User/Password authentication and no access.
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
Reply
Brian Atkins
Advisor

тАО11-16-2000 06:05 AM

тАО11-16-2000 06:05 AM

Re: FTP only user?

Thanks, I used both methods.
0 Kudos
Reply
Tony Constantine_1
Regular Advisor

тАО11-16-2000 06:08 AM

тАО11-16-2000 06:08 AM

Re: FTP only user?

Brian

another way to deny telnet access is to use the /var/adm/inetd.sec file

telnet deny 10.40.220.100 #deny only this ip address

telnet deny 10.40.*.* #deny 10.40 range

do a man on inetd

0 Kudos
Reply
Albert E. Whale, CISSP
Honored Contributor

тАО11-16-2000 06:26 AM

тАО11-16-2000 06:26 AM

Re: FTP only user?

Brian,

FYI - the .profile will never be executed if you use the /bin/false option.

I just wanted to save you a little effort in your administration of the ftp user.

Hope that helps.
Sr. Systems Consultant @ ABS Computer Technology, Inc. http://www.abs-comptech.com/aewhale.html & http://www.ancegroup.com
0 Kudos
Reply
Lasse Knudsen
Esteemed Contributor

тАО11-16-2000 06:37 AM

тАО11-16-2000 06:37 AM

Re: FTP only user?

Using .profile is not a good idea. It is still (with a little luck) possible to interrupt the .profile execution using ctrl-c and then get a shell.

You are still able to use 'remsh' and bypass .profile execution.

Try this:

remsh /usr/bin/X11/xterm -display :0.0

And you will get a nice window with a shell prompt- I do not think that was what you wanted.

Use /bin/false - method
In a world without fences - who needs Gates ?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО11-16-2000 08:43 AM

тАО11-16-2000 08:43 AM

Re: FTP only user?

Brian:

With regard to Tony & Allan's comments about using the "profile" exit, you can harden your profile against shell-out by adding the following trap at the very beginning:

trap "" 1 2 3

In the case you are trying to achieve, I would choose the substitution of /usr/bin/false in place of a standard shell specification in /etc/passwd. You do not need to add this to /etc/shells.

Regards!

...JRF...
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

тАО11-16-2000 12:44 PM

тАО11-16-2000 12:44 PM

Re: FTP only user?

Hi
The .profile option is not as secure as /usr/bin/false ie as previously mentioned it can be bypassed or broken out.

Do not give them a shell :-

ftpuser:*:200:10:FTP User:/home/ftp:/usr/bin/false

HTH

Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.