I have vsftpd server that allow local users to login to ftp. How to prevent some local user to login to shell account and allow only login to ftp server (vsftpd) ?
Asked
Active
Viewed 1.5k times
3 Answers
3
You should use virtual users and be careful with logins match between them
[vsftpd.conf]/etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd #look here
guest_enable=YES
guest_username=ftp #carefull
user_sub_token=$USER
local_root=/var/ftpserver/ #careful
chroot_local_user=YES
hide_ids=YES
syslog_enable=YES
file_open_mode=0666
local_umask=0022
[vsftpd]/etc/pam.d/vsftpd
auth required pam_pwdfile.so pwdfile /etc/vsftpd.passwd # htpasswd file
account required pam_permit.so
and create htpasswd -c /etc/vsftpd.passwd username
MealstroM
- 1,517
- 1
- 17
- 32
1
In short: Use virtual users.
http://howto.gumph.org/content/setup-virtual-users-and-directories-in-vsftpd/
Sirex
- 5,499
- 2
- 33
- 54
1
I don't think using virtual users is necessary at all. Regular users will do just fine.
Add a line to /etc/shells, if it is not already there:
/bin/false
For the users you would like only to be able to use FTP, edit /etc/passwd and change their shell (usually defaults to with /bin/bash or /bin/sh) to /bin/false
e.g.:
From this:
jdoe:x:1000:1000:John:/home/fbh:/bin/bash
To this
jdoe:x:1000:1000:John:/home/fbh:/bin/false
This way, that user will only be able to login using FTP.
Frands Hansen
- 4,657
- 1
- 17
- 29
-
2Unless you are using FTP over TLS, this provides any eavesdropping party with a username and password of a REAL account on the ftp server. Virtual users don't provide that. – vezult Mar 29 '11 at 12:56
-
This solution does not work on recent versions of Operating Systems (and/or) vsftpd, at least.. not on CentOS. For this to work, you need to comment out: `auth required pam_shells.so` in `/etc/pam.d/vsftpd` – Hasan Alsawadi Oct 10 '20 at 02:14