[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftp question

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: ftp question
From: Nick Holland <nick@holland-consulting.net>
Date: Wed, 01 Aug 2001 10:10:42 -0400
References: <20010731140010.19be88b1.listbsd@terra.com.br> <3B6766C4.B6A5310@holland-consulting.net> <20010801092405.A17280@mail.wzrd.com>

Dan Harnett wrote:
> 
> On Tue, Jul 31, 2001 at 10:17:40PM -0400, Nick Holland wrote:
> >
> > Apparently, as soon as ftp saw that obsd had a shell of /usr/bin/false
> > and wasn't in ftpchroot, it rejected me.  When I changed obsd's shell
> > back to ksh, I could log in and poke around in places I "didn't
> > belong".  Could this be your problem?
> >
> 
> I didn't see anyone mention /etc/shells.  ftpd checks /etc/shells for a
> valid shell (see ftpd(8) and shells(5)).  If /usr/bin/false was not
> listed, then access is denied whether the user is listed in
> /etc/ftpchroot or not.

Experimental evidence indicates to the contrary:

ftp /etc # more shells
#       $OpenBSD: shells,v 1.5 1997/05/28 21:42:20 deraadt Exp $
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.
/bin/sh
/bin/csh
/bin/ksh

ftp /etc # grep obsd passwd
obsd:*:1001:1001:OpenBSD ftp installs:/home/obsd:/usr/bin/false

(not in shells)

ftp /etc # more ftpchroot
#       $OpenBSD: ftpchroot,v 1.3 1996/07/18 12:12:47 deraadt Exp $
#
# list of users (one per line) given ftp access to a chrooted area.
# read by ftpd(8).
obsd
nick

from another system:

CWD Devl /home/nick $ ftp ftp
Connected to ftp.in.holland-consulting.net.
220 ftp.in.holland-consulting.net FTP server (Version 6.5/OpenBSD)
ready.
Name (ftp:nick): obsd
331 Password required for obsd.
Password:
230 User obsd logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||29953|)
150 Opening ASCII mode data connection for '/bin/ls'.
total 12
-rw-r--r--  1 1001  1001  769 Jul 21 21:50 .cshrc
-rw-r--r--  1 1001  1001  318 Jul 21 21:50 .login
-rw-r--r--  1 1001  1001  105 Jul 21 21:50 .mailrc
-rw-r--r--  1 1001  1001  402 Jul 21 21:50 .profile
-rw-------  1 1001  1001  128 Jul 21 21:50 .rhosts
drwxr-xr-x  3 0     1001  512 Jul 21 21:51 pub
226 Transfer complete.

however, after removing obsd from ftpchroot, I got:

CWD Devl /home/nick $ ftp ftp
Connected to ftp.in.holland-consulting.net.
220 ftp.in.holland-consulting.net FTP server (Version 6.5/OpenBSD)
ready.
Name (ftp:nick): obsd
530 User obsd access denied.
ftp: Login failed.

Putting /usr/bin/false into /etc/shells got me back to being able to
log in with ftp.

THAT BEING SAID, I think I was implying, if not outright stating, that
putting /usr/bin/false as a user's shell would prevent their login
using ftp...this is dead wrong, and I knew it, but apparently not late
at night.  (Can I plead 10:00pm as "late at night?"  O.k., how about
if I just plead temporary insanity? 8-)

Nick.
-- 
http://www.holland-consulting.net/

Follow-Ups:
- Re: ftp question
  - From: Dan Harnett <danh@openbsd.org>

References:
- Re: ftp question
  - From: Dan Harnett <danh@wzrd.com>

Prev by Date: Re: testing raid 0
Next by Date: Re: method to sync time?
Prev by thread: Re: ftp question
Next by thread: Re: ftp question
Index(es):
- Date
- Thread