Here is a way to enable a system user login to a proftpd server while disable same user system access through a bash, csh shell etc.
In the below examples I assume the system user is called ftp-user and the running GNU/Linux is Debian. However same instructions should be probably working on other Linux distributions as well.
1. So let’s begin creating a pseudo shell named /bin/ftpaccess
debian:~# touch /bin/ftpaccess
debian:~# echo 'echo "This accout is for ftp access only"' > /bin/ftpaccess
debian:~# echo 'exit 0' >> /bin/ftpaccess
debian:~# chmod +x /bin/ftpaccess
2. It’s also necessary to include the just created pseudo FTP shell /bin/ftpaccess in your /etc/shells file.
echo '/bin/ftpaccess' >> /etc/shells
3. Then edit your /etc/passwd and change in the user shell, you should edit a line similar to:
ftp-user:x:1011:1005:FTP User,,,:/home/ftp-user:/bin/bash
Afterwards the same user /etc/passwd line declaration should look like:
ftp-user:x:1011:1005:FTP user,,,:/home/ftp-user:/bin/ftpaccess
Now the ftp-user user should have an FTP file transfer upload/download access to the server but it’s SSH, SCP and SFTP access will be disabled.
Talking about disabling access of SFTP it’s worthy to mention the RSSH Project .
RSS is quite cool and is able to restrict a shell access via SSH but same time allow users to use the SFTP and SCP protocols.
Other user feedback/experience for accomplishing the same task is very welcome!
More helpful Articles
Tags: Enable user access only to ProFTP server / Disable user login via ssh scp and sftp
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.127 Safari/533.4
You could use /bin/false for this without creating a new shell. Not sure if debian has this, but for RHEL/CentOS it would be simple.
So it would just be the following steps:
echo “/bin/false” >> /etc/shells
usermod -s /bin/false ftp-user
Done!
Also – checkout scponly as an alternative to RSSH since the RSSH maintainer left the project some time ago.
Thanks for the post.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92
Hi Jason,
Thank you very much for the good notes. I’ll bear them in mind for the future.
Cya around
View CommentView CommentMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
I really love approaching your website! your unique strategy to see things is what keeps me interested. Thanks so much!!!!
View CommentView CommentMozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
I have just used the script. this is really effective post
View CommentView CommentThanks indeed!