[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disallowing root FTP logins

On Sat, 22 Nov 1997, Graham Todd wrote:

> However if I add this securetty line to /etc/pam.d/ftp then *no-one*
> can do ftp login remotely.
> auth      required  /lib/security/pam_securetty.so

I think you've got your sense of tty a little goofed up -- securetty
doesn't check the origination of a connection, which is what you want, it
checks what tty is trying to get used in creating this new connection.

Like, when you sit down at the console at see the login prompt, and type
root, it says "hey, someone's trying to log into root _on_ tty1" (or
whatever vt you use). Likewise, if you telnet in from planet.venus.com to
your.machine, your.machine allocates you a tty. The first person to telnet
in will typically get ttyp1. It has no idea what tty on planet.venus.com
you're using, or if planet.venus.com even has the concept of a tty (think
windows95 here).

So, when you type ftp localhost, it doesn't check what tty your
originating half of the connection is using... I'm pretty sure you aren't
allocated a tty when you ftp in, for that matter.

Think of it this way: If you log in on the console, and type telnet
localhost, and log in, you'll see:

[jhebert@maynard ~]$ who
jhebert  tty1     Nov 22 15:06
jhebert  ttyp1    Nov 22 19:53 (localhost)
[jhebert@maynard ~]$
The first line is where you logged in on the console, and the second line
is where you telnetted to localhost (and logged in _on_ ttyp1).

Hope this makes sense.

As far as doing what you want, I don't think you can. Even if you could
configure ftpd to allow root to connect only from localhost, this wouldn't
do what you want since I could telnet in, su to root, and type ftp
localhost. Likewise, you could all-or-nothing allow connections to on the ftp port, using tcp wrappers. But that wouldn't get you

If you don't mind my asking, why in the heck do you need to ftp to
localhost as root? Surely whatever your think that'll get you can be
accomplished some better way...



PS If there's some great reason why you need to do this, you could always
write some shell script which basically allowed root ftp logins, ftp'd to
localhost, and then disallowed them as soon as you got logged in. But this
seems pretty much like a cheap hack. And you'd have to be logged in
(like with a command prompt) as root I would think, in order to change
the necessary files. Unless of course you set up sudo to handle that
part. But now I'm getting really wacky! =) 

[L]inux has an installed base conservatively estimated at around 3 million
users.... [V]endors say that most of the top companies in the US have bought
the OS - but that few will readily admit to running their multimillion-dollar
corporations on code put together by a band of software idealists. -- _Wired_

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []