FTP anonymous only, no account holders please

| No Comments | No TrackBacks

I had a client request an anonymous FTP service be configured on their Leopard server. I did this, but had a concern that users with accounts on the server might try to connect. This would be highly undesirable; FTP as we all know, is an insecure protocol. So how to allow anonymous access only, but deny account holders with valid credentials?

I tried to configure the /Library/FTPServer/Configuration/ftpusers and ftpaccess files, but that didn't seem to work. And accounts, actually, are not local to the machine; they're pulled referenced from an external OpenLDAP directory. It seems that tnftpd is not clever enough to pay attention to local Open Directory groups populated with entities from external directory systems.

I thought I could do something clever with SACLs, but it's either allow or deny-by-implication —that is, if I allow everyone access to FTP, as is necessary in this situation, I can't explicitly exclude members of the staff. SACLs don't have a "deny" function (at least as far as I can tell).

Then I thought about adding ACLs to the sharepoints, but again, I can't put people in a deny group called "no_ftp_people" and put the same people in an allow group "access_via_afp". Besides, that's a lot of group management fuss, even with nesting.

Forget about using TCPWrappers and deny or using ipfw —there are some users on campus who need anonymous access.

Finally, it dawned on me. I had tried to make a Kerberized FTP service before (and gave up). If I could set the required authentication to Kerberos, all account holders would fail. Only anonymous read-only access would be allowed, and no passwords sent over the tubes.

(Eventually, I want to figure out how to use an external KDC keytab with an FTP service principle on a Mac server, but that's for another day.)

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/49

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on November 20, 2008 3:09 PM.

How to properly remove the Zimbra iSync Connector was the previous entry in this blog.

Presentation: Stanford iPhone - iStanford is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.