Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!think.com!snorkelwacker.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.unix.admin
Subject: Re: Setting up ftp account
Keywords: anonymous,ftp,security
Message-ID: <1991Jan16.195035.23983@athena.mit.edu>
Date: 16 Jan 91 19:50:35 GMT
References: <2790@oucsace.cs.OHIOU.EDU>
Sender: news@athena.mit.edu (News system)
Organization: Massachusetts Institute of Technology
Lines: 25

In article <2790@oucsace.cs.OHIOU.EDU>, mramakri@oucsace.cs.OHIOU.EDU (Murlidar Ramakrishnan) writes:
|> I managed to setup an anonymous ftp account on my machine.  But it lets
|> people to logon to the machine with ftp as login and no password. Is there
|> a way I can avoid this? Or is there any other way to fool proof this
|> security hole? 

  You can avoid this by setting up the anonymous ftp account properly.

  In particular, the password field of the "ftp" entry in /etc/passwd file (or
the shadow password file, or whatever) should *not* be empty.  Put "*" or
"*NOPASSWORD*" or something in the field, i.e. something that will not match
against any encrypted password.  For example, the entry in my /etc/passwd file
says:

    ftp:*:1000:101:Anonymous FTP,,E40-342B,8495,:/site/mit/ftp:/bin/csh

  There is no reason for the password field if ftp's passwd entry to be blank.
Ftpd doesn't require it, since ftp just does a setuid() to ftp's uid once it
has verified that it is allowed to do so.

-- 
Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8085			      Home: 617-782-0710