Proftpd Users

Hellzone · Apprentice Joined: 23 May 2003 Posts: 167

Basically i need to know how to setup seperate users for proftpd without the users needing shell access (so basically users that are accessible in proftpd only)

any suggestions?

-James

Torg · n00b Joined: 21 Oct 2002 Posts: 30

I had wanted to do that as well... I finally gave up and used pure-ftpd instead, which does support that feature.

Check it out.

-Torg

Hellzone · Apprentice Joined: 23 May 2003 Posts: 167

How do you do it with pure-ftpd?

Torg · n00b Joined: 21 Oct 2002 Posts: 30

http://www.pureftpd.org/README.Virtual-Users

that page should do the trick for you =)

-Torg

samokk · Posted: Fri Jun 13, 2003 1:45 pm Post subject:

I think you can do it using something called "virtual users"

check the doc

sam

Donut · n00b Joined: 27 Apr 2003 Posts: 40

If you have Webmin installed it really helps because you can use its Proftp plugin to configure proftp more visually via a browser (eg. https://localhost:10000).

First I would create a dummy user in /etc/passwd with a /var/empty home directory, a /bin/false shell and a random unknown password to prevent normal shell logins. Then via Webmin in the Proftp - Authentication section, set-up the 'alias' users you want with whatever names and map each to the dummy user(s) which you created in /etc/passwd. Also in this section specifiy an alternative password (ie. different than passwd/shadow) for this dummy user. There is also a radio button question in this section asking if a Valid User Shell is required - select 'no'. You would also specify things like Disallow Root User Logins, Authenticate Aliased Users Only and ring-fenced base ftp directories in this section in webmin.

This is probably NOT the most secure or hardened way of doing it so I would suggest once you have something working, read some of the Gentoo Security doc which has a section on Proftp..

http://www.gentoo.org/doc/en/gentoo-security.xml

Hope this helps

Paul

Hellzone · Apprentice Joined: 23 May 2003 Posts: 167

in the end i decided to use mysql authentification as it's quick, easy, secure and ties in perfectly with the rest of the site... plus i know how to secure it and change it to my needs.

thanks for the help guys

-James

hygge · n00b Joined: 07 Jan 2003 Posts: 66 Location: Sweden

with this in your proftpd.conf you can have this kind of virtual ftp-only users. the important option is AuthUserFile, that lets you have another passwd-file for proftpd. with the utility 'ftpasswd', available at http://www.castaglia.org/proftpd/contrib/ftpasswd.html you can make posts you your choosen passwd-file. you can let every "ftp-user" have the same homedir, /home/ftp/. every user can have the same uid and gid as they are not real system users.

NOTE: dont forget DefaultRoot ~, that chroots the user into their homedir (= they cant go up in the filesystem as they are looked in /home/ftp).

# Hygges ftpserver configuration.

ServerName "Hygges Hideout"
ServerIdent on "Hygges Hideout"
ServerType inetd
DefaultServer on
Port 21
Umask 022
User ftp
Group ftp
AuthUserFile /etc/ftpd.passwd
DefaultTransferMode binary
DefaultRoot ~
DirFakeGroup on
DirFakeUser on
DirFakeMode 0640
TimeoutStalled 300
RequireValidShell off
AllowForeignAddress on
DeleteAbortedStores on
UseReverseDNS off
IdentLookups off
DisplayLogin welcome.msg
DisplayFirstChdir .message
SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog

#<Limit LOGIN>
# DenyAll
#</Limit>

<Limit WRITE>
DenyAll
</Limit>

<Directory ~/upload>
<Limit STOR MKD>
AllowAll
</Limit>
</Directory>

# Public account.

<Anonymous ~ftp>
AnonRequirePassword on
UserAlias 0day ftp
MaxClientsPerHost 1 "Only one connection/host, leechkiddie!"
MaxClients 5 "The maximum number of allowed users are already connected."

# <Limit LOGIN>
# DenyAll
# </Limit>

<Directory upload/>
<Limit STOR MKD>
AllowAll
</Limit>
</Directory>

</Anonymous>

xedx · Tux's lil' helper Joined: 23 May 2003 Posts: 93

imho pure-ftpd & vsftpd are better for virtual users...
_________________
--+//+

hygge · n00b Joined: 07 Jan 2003 Posts: 66 Location: Sweden

i dont know i havent tried any of them. but one thing is sure; it's more elite to tweak proftpd to its limit =)

samokk · Posted: Sat Jun 14, 2003 1:34 pm Post subject:

tgoodaire · Posted: Sun Jun 15, 2003 3:29 am Post subject:

I just set up users without shell accounts to do that. ie. set their shell to /bin/nologin
_________________
I bent my wookie.

samokk · Posted: Sun Jun 15, 2003 9:10 am Post subject:

Hellzone · Apprentice Joined: 23 May 2003 Posts: 167

And thats what im trying to avoid... mess, as im already looking to have a large client base when i start, and even then im looking towards the future.

Its all very well me making easy to use interfaces to allow me to manipulate the mess quickly and efficently but if somethign goes wrong and i have to modify raw data, quite frankly with hundreds of users im fecked unless i have some form of order.

-James

samokk · Posted: Mon Jun 16, 2003 7:52 am Post subject: Re:

s0be · Apprentice Joined: 23 Nov 2002 Posts: 240

I've found using mysql for auth in proftpd and for logging is much easier than having created a bunch of users with /bin/false as their shell. also, you can do a lot of neet stuff like bandwidth limiting users depending on who they are.

s0be

tecknojunky · Posted: Sun Jul 13, 2003 3:02 pm Post subject: Re: Proftpd Users