Solaris 5.10 shell replacement for Centos 7 migration
Clash Royale CLAN TAG#URR8PPP
I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".
On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.
Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.
shell centos useradd usermod
asked Jan 29 at 6:02
user208145user208145
1,34621215
add a comment |
I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".
On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.
Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.
shell centos useradd usermod
asked Jan 29 at 6:02
user208145user208145
1,34621215
1
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
1
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25
add a comment |
I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".
On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.
Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.
shell centos useradd usermod
asked Jan 29 at 6:02
user208145user208145
1,34621215
I have an old Solaris 5.10 server. I'm migrating the tomcat products to Centos 7. There are two accounts on the Solaris server that I need to migrate. The shells for both of those accounts are identified as "/usr/local/bin/ftponly". This looks like a simple SH script, but I can't tell if it came with the server or if a previous admin (or vendor tech) wrote it. This script and "/bin/sh" are the only items in "/etc/shells".
On the new Centos 7 server, I chose "/usr/sbin/nologin" as the two users's shells. "/usr/local/bin/ftponly" on the old server is a human readable script, but "/usr/sbin/nologin" appears to be a binary file. FTP transactions on the new server with the two user accounts in question are working, and SSH is denied.
Am I good to go or are there larger considerations with the available shells? My bread and butter Linux OS is Ubuntu, so some of the security built-ins of Centos have me scratching my head at times.
shell centos useradd usermod
shell centos useradd usermod
asked Jan 29 at 6:02
user208145user208145
1,34621215
asked Jan 29 at 6:02
user208145user208145
1,34621215
asked Jan 29 at 6:02
user208145user208145
1,34621215
asked Jan 29 at 6:02
user208145user208145
1,34621215
asked Jan 29 at 6:02
user208145user208145
1,34621215
1,34621215
1
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
1
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25
add a comment |
1
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
1
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25
1
1
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
1
1
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25
add a comment |
1 Answer
1
active
oldest
votes
This is not something that varies by operating system. It varies by FTP server software.
What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).
The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).
Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.
nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.
Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.
Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.
Further reading
- What's the difference between /sbin/nologin and /bin/false
- vsftpd fails pam authentication
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497358%2fsolaris-5-10-shell-replacement-for-centos-7-migration%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is not something that varies by operating system. It varies by FTP server software.
What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).
The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).
Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.
nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.
Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.
Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.
Further reading
- What's the difference between /sbin/nologin and /bin/false
- vsftpd fails pam authentication
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
add a comment |
This is not something that varies by operating system. It varies by FTP server software.
What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).
The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).
Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.
nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.
Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.
Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.
Further reading
- What's the difference between /sbin/nologin and /bin/false
- vsftpd fails pam authentication
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
add a comment |
This is not something that varies by operating system. It varies by FTP server software.
What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).
The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).
Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.
nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.
Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.
Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.
Further reading
- What's the difference between /sbin/nologin and /bin/false
- vsftpd fails pam authentication
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
This is not something that varies by operating system. It varies by FTP server software.
What counts as a real person user account in Unix is non-trivial to determine programmatically. Impersonal user accounts can both have non-empty shell fields in the system account database that point to real executables (e.g. uucico) and valid, existing, home directories (e.g. /var/spool/news).
The convention employed by at least two non-anonymous FTP servers is that a user account is a real person for FTP purposes, and can thus perform FTP login, if the shell field in its record in the system accounts database is non-empty and has a value that can be found in the system "user shells" table (/etc/shells for one of those two, per the getusershell() library function in the case of the other).
Clearly, as one can tell from the name alone, the /usr/local/bin/ftponly shell is taking advantage of this in order to have user accounts that execute what is probably a very simple emit-a-message-and-log-off program when the user attempts a terminal log-on, but that work for FTP log-on.
nologin will do the same job if it is in the user shells table. But this is specific to the FTP server software that you happen to be using. Another FTP server software on the same operating system will have quite different rules.
Bruce Guenter's twoftpd, for example, tests the value of the shell field against two configuration settings. If it matches one, the client gets read-only FTP service with the twoftpd-anon program. If it matches the other, the client gets file-upload-only FTP service with the twoftpd-drop program.
Even the software that you may be using might have complex configuration options that affect this. In vsftpd, for example, the check_shell option, the local_enable option, the pam_service_name option, and the PAM configuration for that service (including the presence and configuration of the pam_shells module) are all involved.
Further reading
- What's the difference between /sbin/nologin and /bin/false
- vsftpd fails pam authentication
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
answered Jan 29 at 8:17
JdeBPJdeBP
35k470165
35k470165
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f497358%2fsolaris-5-10-shell-replacement-for-centos-7-migration%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What does ftponly do, if anything?
– Gerard H. Pille
Jan 29 at 6:50
@GerardH.Pille, echoes a message to the console and exits.
– user208145
Jan 29 at 21:21
1
In which case I believe you're good.
– Gerard H. Pille
Jan 29 at 21:25