Setting up ftp account
Jonathan I. Kamens
jik at athena.mit.edu
Thu Jan 17 06:50:35 AEST 1991
In article <2790 at oucsace.cs.OHIOU.EDU>, mramakri at oucsace.cs.OHIOU.EDU (Murlidar Ramakrishnan) writes:
|> I managed to setup an anonymous ftp account on my machine. But it lets
|> people to logon to the machine with ftp as login and no password. Is there
|> a way I can avoid this? Or is there any other way to fool proof this
|> security hole?
You can avoid this by setting up the anonymous ftp account properly.
In particular, the password field of the "ftp" entry in /etc/passwd file (or
the shadow password file, or whatever) should *not* be empty. Put "*" or
"*NOPASSWORD*" or something in the field, i.e. something that will not match
against any encrypted password. For example, the entry in my /etc/passwd file
says:
ftp:*:1000:101:Anonymous FTP,,E40-342B,8495,:/site/mit/ftp:/bin/csh
There is no reason for the password field if ftp's passwd entry to be blank.
Ftpd doesn't require it, since ftp just does a setuid() to ftp's uid once it
has verified that it is allowed to do so.
--
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik at Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8085 Home: 617-782-0710
More information about the Comp.unix.admin
mailing list