ftp nologin problem

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Dec 28 02:00:32 PST 2005 

Imran Imtiaz wrote:
> I am running ProFTPD 1.2.10 on my bsd server but the problem is that if a user don't have a shell and I've defined his shell as nologin then the ftp server does not logon and give the following error
> C:\Documents and Settings\Asif>ftp 192.168.0.3
> Connected to 192.168.0.3.
> 220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [192.168.0.3]
> User (192.168.0.3:(none)): db.backup
> 331 Password required for db.backup.
> Password:
> 530 Login incorrect.
> Login failed.
> ftp>
> 
> tell me how can I correct this problem cause I don't want to give user a shell.

Yes -- in order for a user to log in successfully via FTP they need:

   * a user account
   * a valid shell (appears in /etc/shells)
   * not to be in the list of user accounts *denied* ftp access,
     confusingly kept in /etc/ftpusers

I suspect it's point 2 that you are running into here.  However, do not
just blindly add /sbin/nologin to /etc/shells -- any user account that
gets created on your system solely for the purpose of owning files or
processes will probably end up with nologin as its shell.  Putting
nologin into /etc/shells potentially creates a back door by which those
accounts can be used with FTP.

Instead, take a copy of /sbin/nologin, call it /usr/local/bin/ftp-only
and use that as the shell for all ftp users.  Add that to /etc/shells and
everything should work the way you want.

If you're trying to setup a highly secure mechanism for copying files over
the net for backup, then I'd counsel against using FTP at all -- it's one of
those archaic 'dawn of the internet' type protocols that does nasty things
like transmitting passwords over networks in plain text.  Two much better
alternatives are:

     WebDav over HTTPS -- very easy to use from the Windows desktop via
     the 'map network location' feature.  One gotcha is that if you're
     using a self signed cert on your webserver then you have to click
     on 'examine certificate' the first time you connect to the server,
     and then click on 'accept this certificate' or Windows will silently
     refuse to map the web location.

     rsync or scp over ssh.  On the Windows side, you'll need a SSH
     client, like Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
     scp is built into Putty, but adding rsync capability will need you to
     do a bit more work.  You'll need to install rsync (Ports: net/rsync)
     on your FreeBSD server, plus the Cygwin environment on your windows
     machines ( http://www.cygwin.com/)

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20051228/f5a5380c/signature.bin

More information about the freebsd-questions mailing list