«
»

vsFTPd and invalid shells


Recently I have been helping one of my mates with installing and configuring a new server for their business (Komunikado), and in doing so we came across a feature of vsFTPd (very secure ftp daemon) I had encountered prior myself; All local users must have a valid shell to be able to login to the ftp server.

Often though one desires to disallow anonymous logins but neither have SSH login for users of the server (i.e. only ftp access), this might be the case for say web hosting or similar services.

What having a valid shell means, is that the binary pointed to by the user configuration (/etc/passwd in the 6th and last column) must be listed in the /etc/shells file to be considered valid. To disallow SSH login on a local user, you would normally set the users login shell to something non-existent such as /bin/false, /bin/nologin, /dev/null or similar. But doing so will make vsFTPd disallow logins for any such user.

As it turns out, there are two ways to fix this. The choice is up to you.

Fix 1. – Disabling valid shell check for vsFTPd

This fix will make vsFTPd skip the “valid shell” check altogether. As vsFTPd uses the PAM (Pluggable Authentication Modules) system,  the fix is as easy as opening /etc/pam.d/vsftpd and uncomment the following line using your favorite editor:

#auth   required        pam_shells.so

The line is often located at the end of said file. The pam_shells.so module, is specifically made for checking that a given user has a valid shell, thus there is no loss in security by dropping it from vsFTPd’s authentication. Now restart your vsFTPd server (in case you are running it in standalone mode) by issuing:

$ /etc/init.d/vsftpd restart

If you are using inetd or similar, the changes will take effect on the next session instantiated with the ftp server.

Fix 2. – Adding invalid shell to shells file

This fix will make whatever invalid binary you have put in your user configuration (/bin/false, /bin/nologin or similar) look like a valid shell without being it (as it’s a non-existent binary). All you have to do is simply append your invalid shells to the /etc/shells file:

$ echo "/bin/nologin" >> /etc/shells

This will make PAM think /bin/nologin is a valid shell and thus the valid shell check will pass for vsFTPd (and any other service!) without the user actually being able to do a SSH login.

Personally  I prefer the first fix as this surgically disables the faulting check in vsFTPd without changing the premise for any other services or changing the system wide environment in general. Adding the invalid shell to the shells file, may or may not adversely affect other services (probably not).

, , , , ,

This entry was posted on April 14, 2010, 5:41 pm and is filed under linux, server. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by Mikkel on April 14, 2010 - 5:47 pm

    Works great! Thank you mate ;)

    Reply Quote

  2. #2 by Emil on February 18, 2011 - 10:35 am

    Thanks man, this post made me fix my ftp-only account in a whiffy ;-)

    Reply Quote

  3. #3 by Adrian Mantu on November 17, 2011 - 9:23 am

    Thank you very much, it works for mee too.

    Reply Quote
(will not be published)