system users getting automatic FTP access

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

system users getting automatic FTP access

Unread post by faris »

I can't believe this didn't occur to me before.

Following on from a conversation on the Parallels forum, I've suddenly realised that system users (added with useradd) automatically get FTP access on a Plesk box.

This is significant because if you disable password authentication in sshd and only use keys, it is all to tempting to create such a user with a weak password. If it is really weak, the bad guys can eventually guess it, login via FTP, change the ssh key and BOOM, they have shell access.

There has to be more to it than just this, surely? What am I missing?

On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they? So there has to be something more. Can someone tell me what that might be please?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: system users getting automatic FTP access

Unread post by mikeshinn »

On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they?
No you cant log in with either of the ASL users by default. You can see for yourself by looking at your /etc/passwd file.

asl-web:x:103:107::/var/asl/www:/sbin/nologin
tortix:x:104:108::/var/asl:/sbin/nologin

And the /etc/shadow file:

asl-web:!!:14872::::::
tortix:!!:16084::::::

As long as the password field is !!, then no password based login will work. If you add a password to a user like that (say apache, or nscd, etc.), then yes you can log into it (if the protocol supports password based authentication of course). Dont add passwords to those kinds of users, its completely unnecessary and will make it possible to log in to those users. With the !! (or *) in the hash field, no password will work and the account is essentially locked out.

And you can test this yourself.

Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): tortix
331 Password required for tortix
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): asl-web
331 Password required for asl-web
Password:
530 Login incorrect.
Login failed.
Post Reply