 |
 |
setup FTP-only user and ftproot in Panther?
|
|
|
|
|
Dedicated MacNNer
Join Date: Jun 2000
Status:
Offline
|
|
is there a way that I can setup a user account in Panther that can ONLY login via FTP (i.e. has no home directory, shell access, AppleTalk/SMB or any other access), and which only has access to a defined ftproot directory (cannot fish around my file system)?
thanks for any suggestions.
ox
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Yes, this is possible to do in UNIX in general. Under MacOS X, i'm not sure how much (if any) of it might be done through NetInfo Manager, or how much is done in the traditional UNIX way. Google around for more info. Also not sure about the remote AppleScript part.
However i've got to say that FTP is an inherently bad way to grant access to your computer as user account names and passwords are sent in the clear. SSH is far superior... and access can easily be restricted via the SSHD configuration file.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Nov 2003
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Feb 2001
Status:
Offline
|
|
While PureFtpd will work, perhaps there is not a need for such a full fledged ftp server.
To do what the OP wanted, first, if it does not exist, create a file in /etc/ftpchroot and in that file put the short username of the user you want to "jail" to his home directory.
Restart your ftp server and they can now not go up the directory tree, they can still ssh and sftp in though, to remove this, in netinfo set the shell to /sbin/nologin also add to /etc/shells the string /sbin/nologin so they can still normal ftp into the machine.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Canaduh
Status:
Offline
|
|
Originally posted by Rainy Day:
SSH is far superior... and access can easily be restricted via the SSHD configuration file.
It was my understanding that you can't jail ssh users. How do you modify the SSHD config file to restrict user access?
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Feb 2001
Status:
Offline
|
|
You can not easily jail ssh, nor would you want to anyway, your file system permissions should protect anyone from doing any harm anyway.
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
I'm not talking about a chroot "jail." You can restrict many aspects of access, such as who may connect, how, from where, to which accounts, what they may do while connected, etc. It's possible to restrict who is allowed to connect and limit what they may do while connected to just a single command (e.g. ftp or sftp).† Or allow all commands except a certain one (although this latter approach is rarely effective as a creative user may circumvent such restrictions).
Whole books exist on the topic of SSH alone (from multiple publishers), and they are worth checking out. Some information can be found on the InterNet, but much of it is inadequate, bad advice, or just plain wrong. I really recommend one of the various books on the topic for the best details. Also, there's man sshd_config, but that can leave you with as many questions as answers.
† Note: ftp through an SSH session is secure because user names and passwords are encrypted via the SSH tunnel. But with MacOS X GUI app's like Fugu, why not just use sftp?
Edit: Fugu connects through SSH.
(Last edited by Rainy Day; Mar 28, 2004 at 03:46 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jun 2000
Status:
Offline
|
|
Scott--thanks for your helpful response; I haven't tried it just yet but I think that was the information I was looking for.
So that will allow 'jailed' ftp and disallow ssh (and thus sftp)--is there a way to disallow other protocols as well--in particular AppleTalk/AFS or SMB?
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
Originally posted by OmniX:
is there a way to disallow other protocols as well--in particular AppleTalk
You mean besides disabling it in the Sharing System Preferences panel? You could close its port in the firewall. This can be done from the terminal, or via a third party GUI interface. E.g. Brickwall et al.
Edit: Spelling
(Last edited by Rainy Day; Mar 28, 2004 at 06:28 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jun 2000
Status:
Offline
|
|
Originally posted by OmniX:
>>is there a way to disallow other protocols as well--in particular >>AppleTalk/AFS or SMB?
>You mean besides disabling them in the Sharing System Preferences >panel?
Yes, I mean specifically a way to disallow access via Appletalk or SMB on a per-user basis. I.e., I would like to have Appletalk and SMB enabled so I and a few others can use those protocols to access files on occasion, but have it so that other (specified) users can ONLY access the box via FTP, regardless of what other protocols are turned on in the Sharing Pref Pane.
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2001
Location: Oregon
Status:
Offline
|
|
You could do that through the firewall, at least partially. That is, you can close down the firewall on the appropriate ports and only allow access to those ports from certain IP addresses, for example. You'll definitely need to do that via the Terminal, or maybe possibly via a third party GUI front-end?
A more flexible approach, once again, is SSH. You have a variety of options when permitting access via SSH. You can limit access by IP, by user, by public key pair authorization, etc. Using this approach, you can still use your ftp solution, but require that users access your box via an SSH tunnel, and limit the ftp users to ftp access only. For the trusted users you can open things up a bit more. Then close down your firewall allowing only port 22 to remain open.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
