FTP anonymous only, no account holders please

| No Comments | No TrackBacks

I had a client request an anonymous FTP service be configured on their Leopard server. I did this, but had a concern that users with accounts on the server might try to connect. This would be highly undesirable; FTP as we all know, is an insecure protocol. So how to allow anonymous access only, but deny account holders with valid credentials?

I tried to configure the /Library/FTPServer/Configuration/ftpusers and ftpaccess files, but that didn't seem to work. And accounts, actually, are not local to the machine; they're pulled referenced from an external OpenLDAP directory. It seems that tnftpd is not clever enough to pay attention to local Open Directory groups populated with entities from external directory systems.

I thought I could do something clever with SACLs, but it's either allow or deny-by-implication —that is, if I allow everyone access to FTP, as is necessary in this situation, I can't explicitly exclude members of the staff. SACLs don't have a "deny" function (at least as far as I can tell).

Then I thought about adding ACLs to the sharepoints, but again, I can't put people in a deny group called "no_ftp_people" and put the same people in an allow group "access_via_afp". Besides, that's a lot of group management fuss, even with nesting.

Forget about using TCPWrappers and deny 171.64.0.0/14 or using ipfw —there are some users on campus who need anonymous access.

Finally, it dawned on me. I had tried to make a Kerberized FTP service before (and gave up). If I could set the required authentication to Kerberos, all account holders would fail. Only anonymous read-only access would be allowed, and no passwords sent over the tubes.

(Eventually, I want to figure out how to use an external KDC keytab with an FTP service principle on a Mac server, but that's for another day.)

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/49

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on November 20, 2008 3:09 PM.

How to properly remove the Zimbra iSync Connector was the previous entry in this blog.

Presentation: Stanford iPhone - iStanford is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.