HPE Community
Operating System - HP-UX
1833847 Members
2338 Online
110063 Solutions
New Discussion

Re: User login account for ftp only (not telnet)

 
SOLVED
Go to solution
Beannie
Advisor

‎06-10-2010 10:31 AM

‎06-10-2010 10:31 AM

User login account for ftp only (not telnet)

Have an account setup and want to restrict it to only ftp logins and not telnet. Am using a script (that I found on here) to "kick off" this account if telnet is attempted but it's not working. The script is as follows and is in the /etc/profile and looks at the not_loginable file for accounts that are not allowed login with telnet:

if logname > /dev/null 2>&1
then
LGNM=`logname`
if egrep "^${LGNM}$" /etc/not_loginable > /dev/null 2>&1
then
echo "\nDirect login not allowed for $LGNM\n"
sleep 2 # For display on ssh-login #
echo "\nNO remote login allowed for $LGNM (`date '+%D %T'`)\n" |
logger -p user.err -t NOT_LOGINABLE
exit 1
fi
fi

Thoughts/suggestions? Thanks much!
0 Kudos
Reply
3 REPLIES 3
Rita C Workman
Honored Contributor

‎06-10-2010 10:36 AM

‎06-10-2010 10:36 AM

Re: User login account for ftp only (not telnet)

Have you thought of using inetd.sec where you could allow/deny certain protocols?

Just a quick thought,
Rita
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-10-2010 10:59 AM

‎06-10-2010 10:59 AM

Solution

Re: User login account for ftp only (not telnet)

Your solution is overly complicated.

The traditional way to create a FTP-only user is to set the user's shell to /usr/bin/false (chsh user /usr/bin/false), then list /usr/bin/false as a valid shell in /etc/shells.

If you don't have /etc/shells in your system, remember to include the system's standard shells when you create it. If /etc/shells does not exist, the system will use a hard-coded default list of shells (see "man getusershell" for details and the list), but once you create /etc/shells, *only* the shells listed in it will be considered valid.

The FTP daemon will allow access only if the user has a valid shell, but it won't actually use the shell for anything.

On the other hand, login services like telnet will simply initialize the user's session by executing the shell program configured for that user. If /usr/bin/false is used as the shell program, it will return immediately with an error code, causing the telnet session to terminate instantly.

This is the simplest possible solution, and also secure by design against any attempts to pause or interrupt a shell script, because /usr/bin/false will never accept any input from the user.

If you are required to display a "login not allowed" message before disconnecting the session, you can write a script that only outputs the message, then configure that script as a "shell" for the user.

NOTE: this might be slightly less secure than using /usr/bin/false, because any script interpreter is more complex than /usr/bin/false and so has a larger probability of containing unknown exploitable bugs.

MK
MK
Reply
Steven Schweda
Honored Contributor

‎06-10-2010 11:29 AM

‎06-10-2010 11:29 AM

Re: User login account for ftp only (not telnet)

A Forum (or Web) search for keywords like,
say:

ftp-only account

would find many similar old discussions.

> The traditional way [...]

Most look like that.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.