Atomicorp

I can't believe this didn't occur to me before.

Following on from a conversation on the Parallels forum, I've suddenly realised that system users (added with useradd) automatically get FTP access on a Plesk box.

This is significant because if you disable password authentication in sshd and only use keys, it is all to tempting to create such a user with a weak password. If it is really weak, the bad guys can eventually guess it, login via FTP, change the ssh key and BOOM, they have shell access.

There has to be more to it than just this, surely? What am I missing?

On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they? So there has to be something more. Can someone tell me what that might be please?

On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they?

No you cant log in with either of the ASL users by default. You can see for yourself by looking at your /etc/passwd file.

asl-web103:107::/var/asl/www:/sbin/nologin
tortix104:108::/var/asl:/sbin/nologin

And the /etc/shadow file:

asl-web:!!:::::
tortix:!!:::::

As long as the password field is !!, then no password based login will work. If you add a password to a user like that (say apache, or nscd, etc.), then yes you can log into it (if the protocol supports password based authentication of course). Dont add passwords to those kinds of users, its completely unnecessary and will make it possible to log in to those users. With the !! (or *) in the hash field, no password will work and the account is essentially locked out.

And you can test this yourself.

Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): tortix
331 Password required for tortix
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): asl-web
331 Password required for asl-web
Password:
530 Login incorrect.
Login failed.