FTP access without shell access

J

JayDogg

Hello everyone,
I have been using BSD from more years than I can count but just recently built my first box with a firewall, Apache webserver, SQL server and client and so on. I did this more or less just to learn how to be an administrator and to get much more familiar with shell access and doing everything command line. I have been very happen with my progress but for the life of me I can not seem to get a user to just have FTP without having shell access. So as of right now I'm using ftpd(8) with ftpchroot to lock users in directories and was trying to take away shell access by changing shell to /bin/nologin/ but when I do that ftp stops working. Maybe I'm missing a step because when I search around on the internet I see people saying that is the correct way. If anyone could help me out it would be greatly appreciated.
 
Since ftp is not encrypted, I use sftp. With the following config bits in sshd_config:

Code: 
Match User fred # this can be set to a group as well
ChrootDirectory /home/fred/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
It's now sftp only. When I try to ssh (or scp) to this user account I get:

Code: 
Could not chdir to home directory /home/fred: No such file or directory
This service allows sftp connections only.
Connection to host closed.
 
JayDogg said:
So as of right now I'm using ftpd(8) with ftpchroot to lock users in directories and was trying to take away shell access by changing shell to /bin/nologin/ but when I do that ftp stops working. Maybe I'm missing a step because when I search around on the internet I see people saying that is the correct way.
Click to expand...

This is because ftpd(8):
Code: 
     The ftpd utility authenticates users according to six rules.
 {...snip...}
           4.   The user must have a standard shell returned by
                getusershell(3).

See shells(5) and /etc/shells:
Code: 
# $FreeBSD: stable/9/etc/shells 59717 2000-04-27 21:58:46Z ache $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh
Adding /usr/sbin/nologin to /etc/shells should allow ftpd to be used.

Another option is of course to use an FTP daemon that doesn't have this restriction.
 
Thanks for the reply, here is what I had in /etc/shells:
Code: 
/bin/sh
/bin/csh
/bin/tcsh
/sbin/nologin

So I changed it to /usr/sbin/nologin, pretty sure that /usr/ part doesn't matter but worth a try. But I still get the same 530 user error as soon as I try to ftp in. One odd thing I did notice is when I go to add a new user here is my list of shell to pick from Shell (sh csh tcsh nologin nologin). See how nologin is listed twice, is that normal? Maybe that has some thing to do with my problem.
 
So anyone have any ideas why this is not working for me, I double checked /etc/shells/ and everything looks right. I have
Code: 
/bin/sh
/bin/csh
/bin/tcsh
/sbin/nologin
I still don't understand how I have two nologin when I go to add a new user and if I set a user to nologin it locks them out with a 501 error

Any and all help would be great
 
You must log in or register to reply here.
Back
Top