41.3. Limiting Who Can Log In
In its normal configuration, WU-FTPD will allow any UNIX user to log in with the exception of system accounts such as root, bin, and daemon. The root user is almost always denied by default because the FTP protocol does not encrypt passwords as they are sent over the network, which means that a remote login as root could expose its password to attackers.
To change the users and groups who can log in to your system, follow these steps:
1. | On the module's main page, click on the Users and Classes icon to bring up the form shown in Figure 41.2. Figure 41.2. The users and classes page.
|
2. | |
3. | To deny users whose UIDs lie within a certain range, fill in the Unix users and UIDs to deny field. You can enter a UID range like %3000-4000, which will block all users with UIDs between 3000 or 4000. Or, you can enter ranges like %-100 or %5000-, which will deny users with UIDs less than 100 or greater than 5000, respectively. Multiple ranges can be entered, separated by spaces. Normal usernames can be used in this field as well, although this has the same effect as putting them in the Unix users to deny field. |
4. | To deny users whose primary group IDs are within certain ranges, fill in the Unix groups and GIDs to deny field. Again, you can enter ID ranges like %100–200 or %–10, as well as group names like users. Only primary group membership counts. If a user is a secondary member of one of the listed groups, he will not be blocked. |
5. | To exclude some users or groups from the deny lists defined in the previous two steps, fill in the UNIX users and UIDs not to deny and UNIX groups and GIDs not to deny fields. The first field will accept UID ranges or usernames, and the second accepts group ID ranges or group names. These fields are useful if you want to allow just a couple of users while blocking everyone else with a UID range that covers all accounts. |
6. | Hit the Save button at the bottom of the page to save and activate the new user restrictions. |
WU-FTPD will also normally prevent users from logging in whose shell is not listed in the /etc/shells file. This is normally done to allow the creation of accounts that can log in to a POP3 server, but cannot connect via telnet, SSH, or FTP. Unfortunately, there is no WU-FTPD configuration option that can be changed to turn off this shell check. It is either hard-coded into the program or enforced by the ftp PAM service that is really used to authenticate users.
If WU-FTPD on your system uses PAM (as it does on most Linux distributions), follow these steps to turn off /etc/shells checking:
1. | Go to the PAM Authentication module, which can be found under the System category on the Webmin main menu. |
2. | Click on the ftp or wu-ftpd service on the main page. |
3. | On the editing form that appears, click on pam_shells.so in the PAM module column in the Authentication steps section. |
4. | From the Failure level menu, select Optional so the success or failure of the shells file check is ignored for authentication purposes. |
5. | Click the Save button. Users with an invalid shell will no longer be able to log in to your FTP server. |
On other operating systems, the steps above are useless, as the PAM Authentication module is only available on Linux.