[svlug] how to allow a user to ftp but not login?

[Seth David Schoen]

Bill Jonas writes:

> On Wed, 5 Jul 2000, Daevid Vincent wrote:
> 
> >I want to create a user account that can ONLY ftp into my RH6.2 box, but not
> >ssh/telnet or anything else.
> 
> I noticed you already have a solution which you posted to the list, but
> I thought I'd share what my employer does.  The contents of the shell
> script /usr/local/bin/ftponly, which is the shell for ftp only accounts:
> 
> #!/bin/sh
>  
> cat <<END
>  
> You have ftp access only.  Shell accounts are not supported. Send email
> to support at LinuxForce.net if you have any questions.
>  
> END

I don't think that will work, in and of itself.  For example, do
people receive e-mail on the system?

One old trick on uclink4.berkeley.edu when it was created with a
no-shell policy was to use ftp to upload a .forward with contents
something like

\student, |"/usr/X11/bin/xterm -display mybox.reshall.berkeley.edu:0"

Then the user runs "xhost uclink4.berkeley.edu" on mybox, and sends
himself or herself a piece of e-mail.  There are many alternatives.

Note that .forward is far from the only dotfile which is potentially
significant in this way.

-- 
Seth David Schoen <schoen at loyalty.org>  | And do not say, I will study when I
Temp.  http://www.loyalty.org/~schoen/  | have leisure; for perhaps you will
down:  http://www.loyalty.org/   (CAF)  | not have leisure.  -- Pirke Avot 2:5