system users getting automatic FTP access
Posted: Sun Jan 12, 2014 10:18 pm
I can't believe this didn't occur to me before.
Following on from a conversation on the Parallels forum, I've suddenly realised that system users (added with useradd) automatically get FTP access on a Plesk box.
This is significant because if you disable password authentication in sshd and only use keys, it is all to tempting to create such a user with a weak password. If it is really weak, the bad guys can eventually guess it, login via FTP, change the ssh key and BOOM, they have shell access.
There has to be more to it than just this, surely? What am I missing?
On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they? So there has to be something more. Can someone tell me what that might be please?
Following on from a conversation on the Parallels forum, I've suddenly realised that system users (added with useradd) automatically get FTP access on a Plesk box.
This is significant because if you disable password authentication in sshd and only use keys, it is all to tempting to create such a user with a weak password. If it is really weak, the bad guys can eventually guess it, login via FTP, change the ssh key and BOOM, they have shell access.
There has to be more to it than just this, surely? What am I missing?
On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they? So there has to be something more. Can someone tell me what that might be please?