Solaris 5.10 shell replacement for Centos 7 migration

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".



On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.



Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.










share|improve this question

















  • 1





    What does ftponly do, if anything?

    – Gerard H. Pille
    Jan 29 at 6:50











  • @GerardH.Pille, echoes a message to the console and exits.

    – user208145
    Jan 29 at 21:21






  • 1





    In which case I believe you're good.

    – Gerard H. Pille
    Jan 29 at 21:25















2















I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".



On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.



Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.










share|improve this question

















  • 1





    What does ftponly do, if anything?

    – Gerard H. Pille
    Jan 29 at 6:50











  • @GerardH.Pille, echoes a message to the console and exits.

    – user208145
    Jan 29 at 21:21






  • 1





    In which case I believe you're good.

    – Gerard H. Pille
    Jan 29 at 21:25













2












2








2








I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".



On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.



Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.










share|improve this question














I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".



On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.



Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.







shell centos useradd usermod






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 29 at 6:02









user208145user208145

1,34621215




1,34621215







  • 1





    What does ftponly do, if anything?

    – Gerard H. Pille
    Jan 29 at 6:50











  • @GerardH.Pille, echoes a message to the console and exits.

    – user208145
    Jan 29 at 21:21






  • 1





    In which case I believe you're good.

    – Gerard H. Pille
    Jan 29 at 21:25












  • 1





    What does ftponly do, if anything?

    – Gerard H. Pille
    Jan 29 at 6:50











  • @GerardH.Pille, echoes a message to the console and exits.

    – user208145
    Jan 29 at 21:21






  • 1





    In which case I believe you're good.

    – Gerard H. Pille
    Jan 29 at 21:25







1




1





What does ftponly do, if anything?

– Gerard H. Pille
Jan 29 at 6:50





What does ftponly do, if anything?

– Gerard H. Pille
Jan 29 at 6:50













@GerardH.Pille, echoes a message to the console and exits.

– user208145
Jan 29 at 21:21





@GerardH.Pille, echoes a message to the console and exits.

– user208145
Jan 29 at 21:21




1




1





In which case I believe you're good.

– Gerard H. Pille
Jan 29 at 21:25





In which case I believe you're good.

– Gerard H. Pille
Jan 29 at 21:25










1 Answer
1






active

oldest

votes


















3














This is not something that varies by operating system. It varies by FTP server software.



What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).



The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).



Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.



nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.



Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.



Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.



Further reading



  • What's the difference between /sbin/nologin and /bin/false

  • vsftpd fails pam authentication





share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497358%2fsolaris-5-10-shell-replacement-for-centos-7-migration%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    This is not something that varies by operating system. It varies by FTP server software.



    What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).



    The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).



    Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.



    nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.



    Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.



    Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.



    Further reading



    • What's the difference between /sbin/nologin and /bin/false

    • vsftpd fails pam authentication





    share|improve this answer



























      3














      This is not something that varies by operating system. It varies by FTP server software.



      What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).



      The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).



      Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.



      nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.



      Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.



      Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.



      Further reading



      • What's the difference between /sbin/nologin and /bin/false

      • vsftpd fails pam authentication





      share|improve this answer

























        3












        3








        3







        This is not something that varies by operating system. It varies by FTP server software.



        What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).



        The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).



        Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.



        nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.



        Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.



        Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.



        Further reading



        • What's the difference between /sbin/nologin and /bin/false

        • vsftpd fails pam authentication





        share|improve this answer













        This is not something that varies by operating system. It varies by FTP server software.



        What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).



        The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).



        Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.



        nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.



        Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.



        Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.



        Further reading



        • What's the difference between /sbin/nologin and /bin/false

        • vsftpd fails pam authentication






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 29 at 8:17









        JdeBPJdeBP

        35k470165




        35k470165



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497358%2fsolaris-5-10-shell-replacement-for-centos-7-migration%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?