0

I'm using a raspberry pi3 and VSFTPD to share a directory via FTP, which allows a camera to connect to it and transfer photos.

I also created a simple user & password and chrooted the directory so there's no file browsing outside of the dedicated folder if using FileZilla or any other tool.

The problem is, if i log in via the terminal (monitor, keyboard etc, no ssh), using that user, i'm free to go wherever i want, is there a way to prevent this?
I already tried:

usermod --expiredate 1
passwd -l
usermod -s /sbin/nologin

But this makes the account unusable.
If i search for jail/chroot terminal user, there's only 'ssh' results.

Any help will be greatly appreciated.

EDIT

By account unusable, i mean, it disables logging in via the terminal (which is what i want), but it also prevents connecting via FTP.

EDIT 2

The point is to disable everything for 1 user except the FTP folder, i don't need, and don't want that user to do anything.
Only FTP, no other protocol, i need to target all/most wi-fi cameras, and FTP is the way to go.
SFTP and SSH are disabled.

J-D
  • 5
  • 3
    Does this answer your question? How to create a FTP user with specific /dir/ access only on a Centos / linux installation – Panki Mar 29 '21 at 11:03
  • Please [edit] your question and add more details. What's the problem with changing the shell of the user to /sbin/nologon? What are the requirements for the user account? Do you need interactive login? You could also use scp instead of FTP and configure the ssh access as required. – Bodo Mar 29 '21 at 11:07
  • @Panki It's what I have done, my folder restriction works when connecting with FTP, but doesn't when logging in like a normal user. – J-D Mar 29 '21 at 11:27
  • @Bodo As i said, it makes the account unusable, it prevents me from logging in entirely (including FTP), as for scp, is it the same feature as camera's FTP? Will i be able to connect with my camera if i set-up everything? SSH won't be used as it's disabled. – J-D Mar 29 '21 at 11:31
  • checkout https://unix.stackexchange.com/questions/503312/is-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i – Scott Stensland Mar 29 '21 at 12:05
  • Please [edit] your question to add information or clarification. If the camera supports FTP only, then I suggest to state this clarification in the question. If it supports other protocols as well, then name the available protocols. You might have to change some configuration to allow FTP access users with shell nologin. See https://serverfault.com/q/358324/625527 – Bodo Mar 29 '21 at 12:11
  • Plaintext traffic? If so, then switch to SFTP and you are done without TLS mess. – Jiri B Mar 29 '21 at 16:45

1 Answers1

1

If you want to disable SSH (including scp & sftp) logins for a particular user, you could simply add DenyUsers <name of the ftp-only user> to /etc/ssh/sshd_config and restart the sshd daemon.

It will leave the possibility of using the FTP-only account to log in locally, but if the system is in a secure location, that might actually be useful for troubleshooting FTP transfer failures.

The traditional way to create FTP-only user accounts would be to set the user's shell to /sbin/nologin, /bin/false, or any similar program that does not allow input and exits immediately, but also list that program in /etc/shells.

The classic check done by the FTP daemon after the password check is "does this user have a shell that is listed in /etc/shells?". On modern systems, this may be implemented via the PAM configuration instead of by the FTP daemon itself.

By configuring the user with a "do-nothing" shell that is valid (= is listed in /etc/shells), the account will be valid for FTP use, but any use that requires running a shell will fail because the "do-nothing" program is run instead of any real shell, and it will just exit without accepting any input from the user.

Note: if the system has any other network services that are using the system password database, and are not based on running a shell (e.g. an IMAP or POP3 mail server), then you may have to configure those services to also explicitly reject the "FTP-only" user.

telcoM
  • 96,466
  • Worked perfectly, thank you. I used usermod -s /sbin/nologin myuser And edited /etc/shells adding /sbin/nologin at bottom. – J-D Mar 30 '21 at 09:17