Disable SSH Login For FTP User

Overview

The below guide will show you have to create an FTP account for vsftpd and also block ssh access making a ssh account a ftp only account. This will also disable telnet access to the ssh account.

Disable SSH Login For FTP User

Secure Lock

Create The Ftp User

The ssh login account will be used as the ftp login account. So first step is to create the ssh user. Since this will be the FTP username choose name you wish to use are your ftp username. someusername is the username I am using as an example for this tutorial. We will disable ssh access later on.

Enable FTP Login Using SSH Account

In order to allow local ssh users to be able to ftp in, you need to set local_enable=YES in your vsftpd.conf file. That will allows any users on the system, to gain access to the server through FTP.

adduser someusername

Disable SSH Login For FTP User

Open up your passwd file which is usually located under /etc/passwd. Now change the default shell which would be similar to /bin/bash to your ftp only shell which I will create as /etc/ftponly. I created the file under /etc/ftponly however you can place the file anywhere you see fit.

someusername:x:1017:1017:,,,:/home/someusername:/etc/ftponly

Create the ftponly shell file

Now create the ftponly file of /etc/ftponly and type in a scary message to deter trespassers. Save the file in the location you specified in the passwd file located at /etc/passwd.

#!/bin/sh
echo "Welcome to my FTP Webserver. Please note that all activity is tracked for security purposes!"
exit

Ensure the file can be executed

chmod a+x /etc/ftponly

Step 5 – Add ftponly as a valid shell

Add our file /etc/ftponly to the list of valid shells. Simply add the following line to the end of your shells file which is located at /etc/shells. Your shells file will look something like this:

# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/bash
/bin/rbash
/usr/bin/screen
/etc/ftponly

All Done!

Now when people try to ssh or telnet into the server, they will see the message “Welcome to my FTP Webserver. Please note that all activity is tracked for security purposes!” and they won’t be able to gain any further access however they will still be able to login using FTP.

Warning Note!

If the shells file /etc/shells file doesn’t exist, you will need to add in the other shells similar to above since you will be overriding the default shells. If you fail to do so, you could prevent any further ssh access.