ftponly configuration for sftp chrooted account

From a previous thread I learned that: to get a 'chrooted' account working with sftp, the shell in /etc/passwd must be /bin/sh.

This meeans that the account can be used for access through telnet.
What needs to be done if I want the account to be 'ftponly' as well as sftp?
(so no shell should be available to the user to avoid the access through telnet)

8 REPLIES 8

You can try as,

-- /etc/profile --

ps | grep -q 'telnet
if [ ${?} -eq 0 ]
then
if [ $USER = "ftponly" || $USER = "sftp" ]
then
echo "Don't login with this"
sleep 1
fi
exit 1
fi

hth.

Easy to suggest when don't know about the problem!

Just check these threads,
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=943669
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=942006

Have you tried with /bin/false ?

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

You can do with another way as,

change ftponly and sftp account's shell to /usr/bin/false. Add this /usr/bin/false to /etc/shells file as well.

Try now with telnet login using ftponly or sftp account.

hth.

Easy to suggest when don't know about the problem!

A good reference more:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=957193

Or you can try with your script also as,

# cat > /usr/bin/blockshell
echo "Sorry you can not use this account"
echo "Contact @ Guus van Luijn"
sleep 4
exit 1

# chmod 555 /usr/bin/blockshell

# cat >> /etc/shells
/usr/bin/blockshell

# passwd -e /usr/bin/blockshell ftponly
# passwd -e /usr/bin/blockshell sftp

Now try with ftponly / sftp account for login. what is it saying.

hth.

Easy to suggest when don't know about the problem!

Hi Guus,
simply put 'exit 0' in .profile without any sleep otherwise the user can type ctrl-c and interrumpt the profile and in this way he will hack you.

HTH,
Art

Art,

You can not break /etc/profile setting of sleep + exit 1 by normal user's ctr+c.

It will not allow you. .profile is user based one.

Guus,

Change $USER to $LOGNAME as,

ps | grep -q 'telnet
if [ ${?} -eq 0 ]
then
if [ $LOGNAME = "ftponly" || $USER = "sftp" ]
then
echo "Don't login with this"
sleep 1
fi
exit 1
fi

where, $USER is ssh related variable.

hth.

Easy to suggest when don't know about the problem!

Change $USER = "sftp" to $LOGNAME also.

hth.

Easy to suggest when don't know about the problem!

Hi Muthukumar,
you are rigth abut /etc/profile, but your reply assume that Guus has root privilege.
My answer is for user without root capability.
Guus has only to change the .profile for the involved user.

Art