Setup FTP Only Access on a Unix box

Sometimes we want to give FTP *ONLY* access to certain machines. This strict FTP only access is done by providing an un-existing shell for the FTP user. Here we will see how to do that on a Solaris box.

Lets first try to create a FTP user with un-existing shell(/bin/true):
root@redcoral#useradd -m -d /home/ftpuser -c "FTP only user" -s /bin/true ftpuser
UX: useradd: ERROR: /bin/true is not a valid shell.  Choose another.
Looks like we don't have the shell(/bin/true) defined in /etc/shells.

Note that in Solaris we need to create the file /etc/shells. Linux usually will have the file by default.
root@redcoral#less /etc/shells
/etc/shells: No such file or directory

1. Create the file with the contents as below:
root@redcoral#vi /etc/shells
Save and exit vi.

2. Now lets try create the user and password:
root@redcoral#useradd -m -d /home/ftpuser -c "FTP only user" -s /bin/true ftpuser

root@redcoral#id ftpuser
uid=59088(ftpuser) gid=1(other)

root@redcoral#passwd ftpuser
New Password:
Re-enter new Password:
passwd: password successfully changed for ftpuser

root@redcoral#tail /etc/passwd
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
oracle:x:30001:30001:Oracle Admin Account:/opt/oracle:/bin/bash
ftpuser:x:59088:1:FTP only user:/home/ftpuser:/bin/true

3. We are done with the FTP configuration. Let us check our FTP access:
sarat@raisin#ftp redcoral
Connected to
220 FTP server ready.
Name (redcoral:sarat): ftpuser
331 Password required for ftpuser.
230 User ftpuser logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/ftpuser" is current directory.
ftp> bye
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 300 bytes in 0 transfers.
221-Thank you for using the FTP service on
221 Goodbye.
Its working, great!

4. Now let us check ssh login to the box, which should actually fail:
sarat@raisin#ssh -l ftpuser redcoral
Last login: Tue Jul  1 23:30:59 2014 from
Connection to redcoral closed.

No comments:

Post a Comment