Hi All,
If I want to have two user accounts from the same grop in UNIX Solaries. However, I want one of them to be used only for FTP while the other for TELNET. Can anybody tell me how to do that?
Best Regards
Don't open three threads to ask the same question. I deleted the other threads.
To create an account that can be used only for ftp, I would make the shell "/usr/bin/true". Yeah, you can still telnet in, but you can't do anything and you will disconnect immediately. For such a user to be able to use ftp, "/usr/bin/true" must be added to the file "/etc/shells".
To create an account that can be used by telnet, but not ftp, give this user a regular shell like ksh. Then add it to the file /etc/ftpd/ftpusers. This file, which is badly named, is a list of users who cannot use ftp.
And sure, both users can be in the same group if you want.
First of all sorry for putting the same question three time. But I did not know where excatly it fits. Therefore, I opologize for that.
Second, Thank you very much for your valuable reply. However, I need some clarification please.
For the user that can only telnet I just have to add his name to /etc/ftpd/ftpusers. Is this what you mean?
For the user that can only ftp. I did not get your point. What do you mean by creating shell "/usr/bin/true". I mean in the /etc/passwd file I just write shell "/usr/bin/true" in the shell space and add a line with shell "/usr/bin/true" in "/etc/shells file?
Thank you again
Best regards
Yes just add the user to /etc/ftpd/ftpusers.
Yes in /etc/passwd, make the last field be /usr/bin/true:
uftp:x:123:456:ftp only user:/home/uftp:/usr/bin/true
And yes, add
/usr/bin/true
to /etc/shells.
If /etc/shell does not exist, you must create it and add a line for all possible shells. ftpd will check this file and will kick out anyone whose shell is not in this file.
Hi,
Thank you again...
I am using Sun 5.6, and I did not find both /etc/ftpd/ftpusers (I even did not find the directory /etc/ftpd) and etc/shells. So, do I have to create both of them (using the root account)? If yest. can you please tell me their format?
Finally, where to add this line
uftp:x:123:456:ftp only user:/home/uftp:/usr/bin/true
Thank you very much for your valuable help
That line was just an example a line from /etc/passwd. The files are text files. Just type them in with an editor.
Thank you very much...
it works perfectly
Hi...
Its me again...
Do you know how can we prevent the user that can not access telnet from su also...I mean if I am user X and typed su - Y
(where user Y is the one that can not be used for telnet), I want this change of user to fail.
Thanks in advance
I'm pretty sure that "su - Y" will fail because you would get the same shell and not be able to do anything. But "su Y" is another matter, that will work and there is no easy way to change that.
On SunOS, su does use a facility called pam and it is probably possible to configure pam to do this. I have never used pam, and as I survey the man pages, I tend to think that this approach would be too difficult for you.
One thing that I have seen done is to restrict who can run su at all. This means that user X could not su to user Y. But the price is that user X can no longer use su at all.
To do this:
create a new group called wheel
chgrp wheel /usr/bin/su
chmod 4750 /usr/bin/su
Now anyone who needs to use the su program must be added to the group called wheel.
Thank you very much...I really appreciate your help
Hi again,
If I want to make that account that can be used for ftp only (while can not be used for telnet) bew accessable from other user (i.e., su and su - ) work. How can I do that?
Thank you in advance
Best Regards
You can probably get "su" to work. But "su -" by definition results in the same exact environment that would result from a login. Since you have disabled the account from being able to login, this means that "su -" must fail or it would be broken. You are trying to redefine "su -" to mean something different. To do that you will need to write your version of su. Sorry for the bad news.
But I would expect just plain su to work. What happens when you try?
Thank you very much for your valuable help
When I use "su" it behaves exactly as "su -"?
However, I will check it again just to make sure and inform you...
Thanks again
Hi,
I discovered a way to make users for telnet only using /etc/profile file where I check if the user is in a file which contain the list of telnet users.
Another question , I appreciate if you can help me, how can I terminate automatically an ftp session if it hangs. As Sun doc. states ftp -T will not end the session?
Thanks