PDA

Click to See Complete Forum and Search --> : Allow inbound ftp but not telnet

Ming
06-17-2001, 03:56 PM
Hi
Is there any way I can let a certain user FTP into my machine but not telnet in? I need to leave telnet enabled for everybody else and I don't know the IP that the user will log in from.
Tia,
Ming
Craig McPherson
06-17-2001, 04:43 PM
Edit /etc/passwd, set his shell to /bin/false.

Make sure you don't have rsh running in addition to telnet.
Ming
06-18-2001, 05:23 PM
Problem. I'm using PureFTPd with a -A switch which CHROOTs everyone to their home dir. The problem is that also with the -A switch, users need a shell acct to get access. here's what the PureFTPd manual (http://pureftpd.sourceforge.net/README) says:
Note : 'root' always has full filesystem access.
Users need a shell listed in /etc/shells to get restricted or
unrestricted FTP access.

Is there maybe another way I can restrict telnet access to the one particular user without taking his shell?
Please tell me if i'm not being clear.
Thankyou.
Craig McPherson
06-18-2001, 05:45 PM
I've never heard of an FTP daemon doing that before, and I can't say I really understand why it would do that. If you want to keep things simple, just use ProFTPD instead. It's fairly simple, fast, and regarded as one of the most secure. It's also one of the most popular and supported.

As I said, I don't really understand: a user actually HAS to have a valid login shell in order to log in with PureFTPD? It does not work with /bin/false? One hack you could do would be to add a "logout" command to that user's ~/.profile, so that they're logged out immediately if they try to log in to a shell. There are ways around that, but it's the only thing I can think of offhand.
Ming
06-18-2001, 07:39 PM
" ..a user actually HAS to have a valid login shell in order to log in with PureFTPD? It does not work with /bin/false? "

Correct...and it's not just when you use the -A switch (chroot ~) as I thought before.

Is it possible to give a user a shell that allows absolutely nothing?
Craig McPherson
06-18-2001, 07:52 PM
Is there some reason you have to run this FTP program instead of ProFTPD?

/bin/false is a "shell" that gives a user absolutely nothing. Have you tried adding it to /etc/shells? I'm not sure exactly what a shell has to do to be considered a "shell" by your FTP daemon.