HPE Community
Operating System - HP-UX
1830939 Members
2985 Online
110017 Solutions
New Discussion

Re: userid can telnet to server, but cannot access through application

 
SOLVED
Go to solution
denise_7
Frequent Advisor

‎07-20-2004 12:42 AM

‎07-20-2004 12:42 AM

userid can telnet to server, but cannot access through application

Hi HPExperts,

I have one user who can access a prod server using a userid, but this same userid will not work through the application WS_FTP. The user reports that WS_FTP cannot authenticate their account. This was working about 1 or 2 weeks ago.

Here are the log messages:
pam_acct_mgmt:Account is disabled - see Acct. Admin.
ftpd[xxxxx]:User XXXX: Login incorrect
ftp[xxxxx]: FTP session closed
inetd[xxxxx]"ftp/tcp:connection from unknown (xx.xx.xx.xx)
ftpd[xxxxx]:PAM_ERROR_MSG: Acct is disabled-See Acct Admin
ftpd[xxxxx]:FTP LOGIN REFUSED bad shell) from xx.xx.xx.xx

My question, is it possible to successfully login via telnet with a userid, and then cannot run WS_FTP with the same userid?

Thanks for all of your help!
0 Kudos
Reply
5 REPLIES 5
Chris Wilshaw
Honored Contributor

‎07-20-2004 12:45 AM

‎07-20-2004 12:45 AM

Solution

Re: userid can telnet to server, but cannot access through application

The important message from the log is;

LOGIN REFUSED bad shell

This means that the users shell is not present in the file /etc/shells

The file only affects FTP logins, which is why they are still able to telnet to the server. Just add their shell to the file - check the last field of their entry in /etc/passwd to see which shell they're using.

Reply
denise_7
Frequent Advisor

‎07-20-2004 03:28 AM

‎07-20-2004 03:28 AM

Re: userid can telnet to server, but cannot access through application

Chris,

You say "The file only affects FTP logins". You mean /etc/shells is used for FTP logins only?

In the one production server, there are no /etc/shells file. Strange! But the test and development server have the /etc/shells file. Is this a security issue or is there a security issue with /etc/shells?

If I wanted to just add a shells file, I just create a file and save it as shells, right? Root has to be the owner and what about permissions.

I believe you are right, that the logs show bad shell as the problem, no /etc/shells. But I was surprised /etc/shells was not there!

Thanks.
0 Kudos
Reply
Chris Wilshaw
Honored Contributor

‎07-20-2004 03:42 AM

‎07-20-2004 03:42 AM

Re: userid can telnet to server, but cannot access through application

That's correct - /etc/shells is only used by FTP.

It's not a security issue if the file doesn't exist (as a default, this file does not exist on the system). Permissions should be 644, owned by root, with a group of sys.

If the file doesn't exist, the following shells have FTP capability (from the man page for getusershell).

/sbin/sh
/usr/bin/sh
/usr/bin/rsh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/csh
/usr/bin/keysh

If you create the file, you need to make sure that these are all added in addition to the shell of your user with the problem.
0 Kudos
Reply
denise_7
Frequent Advisor

‎07-20-2004 04:05 AM

‎07-20-2004 04:05 AM

Re: userid can telnet to server, but cannot access through application

Chris,

Ok, I'd like to ask you this question. I recently FTPed a file from one server to this server in question, and this server does not have the /etc/shells file. How was I able to ftp to this server?

Other users (two of them) were reported to be having problems with using WS_FTP from their computer (Windows box) to the server. Does WS_FTP require the /etc/shells file?

Exactly what is the difference from FTPing to the server from a computer as compared to FTPing from a HP box to another HP box?

Thanks.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-20-2004 04:18 AM

‎07-20-2004 04:18 AM

Re: userid can telnet to server, but cannot access through application

There are many, many options available in WU-ftpd (man ftpaccess). Look at the sample ftpaccess file in /usr/newconfig/etc/ftpd/examples/ftpaccess and also the ftpgroups file. However, authentication is completely handled by PAM (pluggable authentication modules) for 11.11 and higher and PAM depends on a number of security rules (man security). /etc/shells is used by *every* program that calls getusershell (ftp is one of them), so /eetc/shells does need to exist *if* users are allowed to have non-standard shells. This will fix future problems too. The machine where /etc/shells is missing may not be a Trusted system or it is running an early version of 11.0 or it has very few of the required patches for ftpd and PAM.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.