FTP works only one way??!

[qa3769]

Hello:


Something happened and my ITS people said it was not something they did, but I cannot FTP into my SUN Enterprise 3500 from the outside. I can FTP out of the SUN just fine, but on FTPing from the outside, once I type the password, the display shows that I am connected, then immediately, I am kicked from the FTP session. I have checked the /etc/ftpusers file (there is not one), so I know I didn't lock myself out.

Does anyone know what is wrong with my SUN? Can someone tell me how to fix this? Thanks for any information.

tommy

 

[bigscouse]

Do you have a file set up in /etc called shells?
It should contain entries like this: -
/sbin/sh
/bin/sh
/bin/csh
/bin/ksh
/usr/bin/ksh
/bin/jsh
/bin/zsh
/usr/local/bin/bash

 

[AndyBo]

This sounds like it could be a firewall thing - make sure that ports 20 and 21 are both allowed access to the Sun server. It's a common mistake for firewall admins to say "Port 20 is open so FTP is OK!" They always seem to forget that we need port 21 as well to actually get data down the line... (Port 21 is ftp-data in all the /etc/services files I can find)

 

[qa3769]

thanks askewged:


i checked for a file /etc/shells but it does not exist. Should I create this file and put in the path to all the shells? I do remember that I installed the 'tcsh' shell, and that is the shell that most (maybe all) are using on my SUN.


tommy

 

[qa3769]

hello askewged:


i went ahead and put in the /etc/shells file and the FTP works now. I really don't know why, but thanks for your help!!


tommy

 

[sureshp]

HI gede:
can u tell me what is the relation between /etc/shells
file and ftp.

Suresh [sig][/sig]

 

[bigscouse]

Not sure exactly, I had a similar problem several months ago and a colleague gave me this solution and it worked.
I can only suppose that FTP must access the file to check which shells are valid on the machine, why I do not know. [sig]<p>Ged Jones<br><a href=mailto:gedejones@hotmail.com>gedejones@hotmail.com</a><br><a href= > </a><br>Top man[/sig]

 

[AndyBo]

&quot;/etc/shells&quot; is there to make FTP a little more secure. It's there to ensure that only valid shells are runnable for user's who are logging in via FTP. [sig]<p> Andy Bold<br><a href=mailto: > </a><br><a href= > </a><br>"I've probably made most of the mistakes already, so hopefully you won't have to..." Me, most days.[/sig]

 

[Nazruddin]

How do I create and put in the etc/shells file please?

 

[bluedevils]

a relevant statement from deja/google



From: Perry Metzger (perry@morgan.com)
Message 2 in thread
Subject: Re: Ftp daemon should not check /etc/shells !
Newsgroups: comp.sys.sun
View this article only
Date: 1989-09-27 07:28:36 PST

In article <1701@brazos.Rice.edu> T20@psuvm.bitnet (Stephen G. Simpson) writes:
>X-Sun-Spots-Digest: Volume 8, Issue 136, message 5 of 13
[Flame about FTP checking /etc/shells. Notable bits include...]

>In my opinion, this is a bug in ftp rather than in the /etc/passwd
>procedure. Ftp should realize that the system administrator may want to
>change a user's default login shell to something unusual without putting a
>corresponding line into /etc/shells. It is obnoxious of ftp to assume
>that an account with an unusual shell (not listed in /etc/shells) is ipso
>facto illegitimate.

FTP checks /etc/shells for an VERY good reason! It was set up that way to
keep people from doing FTP to accounts that have been set up with special
shells. These accounts might have very limited priviledges, but FTP would
allow you to break out and gain higher priviledges from another machine if
it weren't for /etc/shells. (If you don't believe me, think about what you
could do to, say, the per user crontab, or even .profile for a restricted
shell.)

>In my opinion this behavior (on the part of the ftp daemon) is not in
>accordance with the Unix philosophy that users are permitted to use a
>shell of their choosing, provided the system administrator allows it.

Why isn't it? The system administrator indicates his willingness to let
you use a shell by putting it in /etc/shells, and you go and use chsh to
change your shell to it, and everyone is happy. The FTP daemon knows you
have a normal account, you have the shell you want, and the system
administrator doesn't have to change everyone's shell for them all the
time. (Think how much of a hassle it would be at a big site if the system
administrator had to change peoples shells for them several times a day!)

/etc/shells keeps you from possibly shooting yourself in the foot while
using chsh. It also keeps other people from maliciously altering your
shell when you leave your terminal alone.

It also serves an important security purpose; it lets ftpd determine if
you are running a restricted shell of some sort or not, which we will get
to in a moment.

You seem to want to &quot;fix&quot; this just so that you and your system
administrator can do something odd, which is let you use a shell that
isn't in /etc/shells. Why not just put it there and be done with it?

You and your system administrator don't appear to want to change /etc/shells to keep people from using the special shell you want to use because you think bash is dangerous or something. Why not just let people, in the Unix Philosophy style, decide for themselves if they want to use it? Novices aren't going to fool with chsh on their own, so its unlikely that they will shoot themselves in the foot, and experienced people should accept the consequences. This is much easier to live with than putting a security breach into Unix.

Perry Metzger

This message doesn't constitute my opinion. Actually, I'm just typing
on behalf of my pet Iguana, Fred.

 

[Nazruddin]

I repeat, can somebody PLEASE tell me exactly how to set up the 'shells' file on my computer so I can use FTP.

 

[alray]

cd to /etc
vi shells
and then enter all the valid shells you require, e.g. an example of one of our servers :-
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/jsh
/bin/sh
/bin/csh
/bin/ksh
/bin/jsh
/sbin/sh
/sbin/jsh
/usr/local/bin/bash
/bin/false

the /bin/false is the one used by the ftp user defined in the .netrc file.

Hope this helps.

 

[Nazruddin]

Thanks, I'll try that today.