Disable shell user access to server for server FTP accounts with Proftpd

Friday, 2nd July 2010

I’ve been required to configure a Linux server running Proftpd server in a way that (bash) shell access is disabled for security reasons.
This could possibly prevent listing of file content on the server if the ftp user account logs in the server through the SSH protocol

Since I haven’t set such a restriction on a server using Proftpd server managing the FTP accounts I had to consult with Proftpd authentication documentation

Therein it was explained that there is a sysadmin trick to use to achieve the prohibition of ssh access for the FTP users.

Here is a quick few steps walk through on how this is achieved in Debian Linux:

debian-server:~# vim /etc/proftpd/proftpd.conf

In the conf file uncomment:

#RequireValidShell off

to
RequireValidShell off

Then you will have to edit your /etc/passwd file:

In /etc/passwd find the FTP user for which you’d like to disable the SSH access and make sure it’s shell is set to /bin/false

Now let’s say you’d like to disable SSH logins for FTP user testftpuser, while editing /etc/passwd you will notice a line:

testftpuser:x:1001:1001:SoccerFame,,,:/home/testftpuser:/bin/bash

The line should be changed to look like:

testftpuser:x:1001:1001:SoccerFame,,,:/home/testftpuser:/bin/false

In case if you’d like to change all system users who have access to the ProftFTP server as well, you can easily do that with a tiny shell script for the purpose.

Share this on:

Download PDFDownload PDF

Tags:

Leave a Reply

CommentLuv badge