mramakri@oucsace.cs.OHIOU.EDU (Murlidar Ramakrishnan) (01/16/91)
Hi I managed to setup an anonymous ftp account on my machine. But it lets people to logon to the machine with ftp as login and no password. Is there a way I can avoid this? Or is there any other way to fool proof this security hole? Murli Ram
jik@athena.mit.edu (Jonathan I. Kamens) (01/17/91)
In article <2790@oucsace.cs.OHIOU.EDU>, mramakri@oucsace.cs.OHIOU.EDU (Murlidar Ramakrishnan) writes: |> I managed to setup an anonymous ftp account on my machine. But it lets |> people to logon to the machine with ftp as login and no password. Is there |> a way I can avoid this? Or is there any other way to fool proof this |> security hole? You can avoid this by setting up the anonymous ftp account properly. In particular, the password field of the "ftp" entry in /etc/passwd file (or the shadow password file, or whatever) should *not* be empty. Put "*" or "*NOPASSWORD*" or something in the field, i.e. something that will not match against any encrypted password. For example, the entry in my /etc/passwd file says: ftp:*:1000:101:Anonymous FTP,,E40-342B,8495,:/site/mit/ftp:/bin/csh There is no reason for the password field if ftp's passwd entry to be blank. Ftpd doesn't require it, since ftp just does a setuid() to ftp's uid once it has verified that it is allowed to do so. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710