# Proftpd Users

## Hellzone

Basically i need to know how to setup seperate users for proftpd without the users needing shell access (so basically users that are accessible in proftpd only)

any suggestions?

-James

----------

## Torg

I had wanted to do that as well... I finally gave up and used pure-ftpd instead, which does support that feature.

Check it out.

-Torg

----------

## Hellzone

How do you do it with pure-ftpd?

----------

## Torg

http://www.pureftpd.org/README.Virtual-Users

that page should do the trick for you =)

-Torg

----------

## samokk

I think you can do it using something called "virtual users"

check the doc  :Sad: 

sam

----------

## Donut

If you have Webmin installed it really helps because you can use its Proftp plugin to configure proftp more visually via a browser (eg. https://localhost:10000). 

First I would create a dummy user in /etc/passwd with a /var/empty home directory, a /bin/false shell and a random unknown password to prevent normal shell logins. Then via Webmin in the Proftp - Authentication section, set-up the 'alias' users you want with whatever names and map each to the dummy user(s) which you created in /etc/passwd. Also in this section specifiy an alternative password (ie. different than passwd/shadow) for this dummy user. There is also a radio button question in this section asking if a Valid User Shell is required - select 'no'. You would also specify things like Disallow Root User Logins, Authenticate Aliased Users Only and ring-fenced base ftp directories in this section in webmin.

This is probably NOT the most secure or hardened way of doing it so I would suggest once you have something working, read some of the Gentoo Security doc which has a section on Proftp..

http://www.gentoo.org/doc/en/gentoo-security.xml

Hope this helps

Paul

----------

## Hellzone

in the end i decided to use mysql authentification as it's quick, easy, secure and ties in perfectly with the rest of the site... plus i know how to secure it and change it to my needs.

thanks for the help guys

-James

----------

## hygge

with this in your proftpd.conf you can have this kind of virtual ftp-only users. the important option is AuthUserFile, that lets you have another passwd-file for proftpd. with the utility 'ftpasswd', available at http://www.castaglia.org/proftpd/contrib/ftpasswd.html you can make posts you your choosen passwd-file. you can let every "ftp-user" have the same homedir, /home/ftp/. every user can have the same uid and gid as they are not real system users.

NOTE: dont forget DefaultRoot ~, that chroots the user into their homedir (= they cant go up in the filesystem as they are looked in /home/ftp).

# Hygges ftpserver configuration.

ServerName			"Hygges Hideout"

ServerIdent			on "Hygges Hideout"

ServerType			inetd

DefaultServer			on

Port				21

Umask				022

User                            ftp 

Group                           ftp

AuthUserFile			/etc/ftpd.passwd

DefaultTransferMode		binary

DefaultRoot			~

DirFakeGroup			on

DirFakeUser			on

DirFakeMode			0640

TimeoutStalled                  300

RequireValidShell		off

AllowForeignAddress		on

DeleteAbortedStores		on

UseReverseDNS			off

IdentLookups			off

DisplayLogin			welcome.msg

DisplayFirstChdir		.message

SystemLog			/var/log/proftpd.log

TransferLog			/var/log/xferlog

#<Limit LOGIN>

#  DenyAll

#</Limit>

<Limit WRITE>

  DenyAll

</Limit>

<Directory ~/upload>

  <Limit STOR MKD>

    AllowAll

  </Limit>

</Directory> 

# Public account.

<Anonymous ~ftp>

  AnonRequirePassword           on

  UserAlias                     0day ftp

  MaxClientsPerHost             1 "Only one connection/host, leechkiddie!"

  MaxClients			5 "The maximum number of allowed users are already connected."

#  <Limit LOGIN>

#    DenyAll

#  </Limit>

  <Directory upload/>

    <Limit STOR MKD>

      AllowAll

    </Limit>

  </Directory>

</Anonymous>

----------

## xedx

imho pure-ftpd & vsftpd are better for virtual users...

----------

## hygge

i dont know i havent tried any of them. but one thing is sure; it's more elite to tweak proftpd to its limit =)

----------

## samokk

 *hygge wrote:*   

> with this in your proftpd.conf you can have this kind of virtual ftp-only users. the important option is AuthUserFile, that lets you have another passwd-file for proftpd. with the utility 'ftpasswd', available at http://www.castaglia.org/proftpd/contrib/ftpasswd.html you can make posts you your choosen passwd-file. you can let every "ftp-user" have the same homedir, /home/ftp/. every user can have the same uid and gid as they are not real system users.
> 
> 

 

I believe we can use LDAP-based virtual users. it could be a better solution ;p

sam

----------

## tgoodaire

I just set up users without shell accounts to do that. ie. set their shell to /bin/nologin

----------

## samokk

 *tgoodaire wrote:*   

> I just set up users without shell accounts to do that. ie. set their shell to /bin/nologin

 

the problem of doing this is that all your true and false users will be mixed. if there are like 5 or 6, it's ok. if there are 1000 users, it becomes more messy...

Sam

----------

## Hellzone

And thats what im trying to avoid... mess, as im already looking to have a large client base when i start, and even then im looking towards the future.

Its all very well me making easy to use interfaces to allow me to manipulate the mess quickly and efficently but if somethign goes wrong and i have to modify raw data, quite frankly with hundreds of users im fecked unless i have some form of order.

-James

----------

## samokk

 *Hellzone wrote:*   

> And thats what im trying to avoid... mess, as im already looking to have a large client base when i start, and even then im looking towards the future.
> 
> Its all very well me making easy to use interfaces to allow me to manipulate the mess quickly and efficently but if somethign goes wrong and i have to modify raw data, quite frankly with hundreds of users im fecked unless i have some form of order.
> 
> -James

 

so you've got to go for LDAP  :Wink:  LDAP rocks because it's not flat ! you can organise your tree the way you want, and that's what's missing from everything else ;p

sam

----------

## s0be

I've found using mysql for auth in proftpd and for logging is much easier than having created a bunch of users with /bin/false as their shell.  also, you can do a lot of neet stuff like bandwidth limiting users depending on who they are.

s0be

----------

## tecknojunky

 *Hellzone wrote:*   

> Basically i need to know how to setup seperate users for proftpd without the users needing shell access (so basically users that are accessible in proftpd only)
> 
> any suggestions?
> 
> -James

 

It's simple.  Open the /etc/passwd file, on the line of each user you wish no shell access, replace the shell field with "/bin/false" (no quotes).

----------

