Configuring for Regular (Non-anonymous) Users

Non-anonymous Users are users that have been explicitly granted access to your server machine by using their username and password. These user accounts are usually managed in the /etc/passwd file, or a service like NIS or LDAP.

This configuration is straight-forward, since you simply add accounts to your system like you normally would. Often, you simply want to allow the users you already have on your system to be able to login with FTP, so you won't need to add new accounts, otherwise you can new accounts to your system now. Don't forget to use the passwd program to set the user's initial password, otherwise the user won't be able to login.

To allow access by remote FTP clients using a username and password, you need to have NcFTPd configured so that the domain.cf option server-type is set to all-users (if you want both anonymous and non-anonymous users) or non-anonymous-only. Like all domain.cf options, this should be set appropriately for each domain in the domain.cf file.

The "Valid User Shells" file

Before these users are fully ready to login via FTP, there are a few other things to consider. By standard convention, UNIX FTP servers do not allow users to login via FTP if their program shell is not listed in the file /etc/shells (you can tell NcFTPd to use a different pathname for this file by using the u-valid-user-shell-file in the general.cf).

You will need to inspect /etc/shells and verify that each user you want to be able to login with FTP has their shell listed there. If the file does not exist, you should create it. An easy way to do that is to run "cut -d: -f7 /etc/passwd | sort -u > /etc/shells" and then edit the file and remove the shells that don't correspond to users that should be logging in.

Here's an example /etc/shells file:

The "Deny Users" file

Another traditional file that NcFTPd honors is the /etc/ftpusers file (which can be changed with the u-deny-users-file option). This file lists usernames that should not be allowed to login via FTP. This simple security measure lets you ensure that certain accounts can never login from FTP, even if a valid username and password were given. This is desirable for accounts that aren't really live user accounts, such as bin or uucp.

You should create this file if it does not exist. Go through your system's account list and look for users who should never be logging in with FTP and add them to the file.

Here's an example /etc/ftpusers file:

Additional Considerations

It is important to note that by adding users to your system, they can do many other things besides logging in with FTP. For example, the user could use telnet, ssh, or just login directly on a connected terminal! Users might also be able to receive and forward mail, by having mail sent to user@yourmachine, or have web pages served under the a URL such as http://yourmachine/~user/index.html. Which services the user can and cannot access depend on the services installed on your system and how they are configured.

An important privilege a user has is logging in directly, but you can disable that. By convention, you set their shell to /bin/false and be sure that /bin/false is in /etc/shells. This would allow the user to FTP to your machine, but if the user tried to login directly, the user would be disconnected immediately without receiving a useful command shell. One problem with this approach is that other programs besides FTP use the /etc/shells file, so by doing that you may have just enabled mail delivery, for example.

Although you could disallow direct logins and allow FTP logins as we've demonstrated above, if security is important you should consider using virtual users. With virtual users, remote clients do not have access to anything except FTP no matter what other services your system is running and how they're configured, since they do not have a real account on your machine.

Additional Options

There are additional configuration options pertaining directly to non-anonymous users. These options are usually prefixed with "u-" and are documented with the complete list of configuration options.

up
back home next