I wanted to set up something similar to this article so that I could divorce ftp users from system users - i.e give ftp users absolutely no ability to logon to anything else. I found a few shortcomings in it
1) db_load does not replace the contents of an existing accounts.db, it appends to it. This means that the instructions for deleting users do not work
2) Passwords are held in accounts.db in plain text and are humanly readable by anyone with read access to accounts.db. Can be fixed by using crypt=crypt on the pam entry and piping the password through e.g. openssl passwd -crypt -stdin -salt ab
3) The iptables rules probably only need the first of the two mentioned rules but ip_conntrack_ftp should be added to /etc/sysconfig/iptables-options IPTABLES_MODULES line. This, together with the standard RELATED,ESTABLISHED iptables rule should be sufficient.
To get this set up to completely ignore system based users I had to change guest_enable= from NO to YES and also I found that the per-user settings were unnecessary. I ended up with this lot
- Code: Select all