[prev in list] [next in list] [prev in thread] [next in thread]
List: proftpd-users
Subject: Re: [Proftpd-user] Allowing just sftp and anonymous ftp?
From: James Pearson <james-p () moving-picture ! com>
Date: 2011-03-11 17:42:41
Message-ID: 4D7A5F11.8060206 () moving-picture ! com
[Download RAW message or body]
James Pearson wrote:
>>Not currently, no. And in general, we try to resist requests to support
>>such a thing.
>>
>>The reason is that this would allow a would-be attacker to know whether
>>the USER name just sent is valid/special in some way or not. By
>>deliberating waiting to close a connection until after both USER and
>>PASS have been sent, a would-be attacker doesn't know whether the
>>connection was closed because the USER name wasn't know, or because the
>>PASS command was wrong, or because of some other policy restriction.
>>The policy of not closing a connection until after the PASS command
>>prevents proftpd from "leaking" information about valid system accounts.
>
> I appreciate and accept that - but in my (special?) case, I would want
> all users except anonymous to be rejected before the password prompt, so
> in this case, no leaking of valid usernames can happen.
I've hacked up something that I think achieves what I need - and
attached a patch against 1.3.3d if anyone else might find this useful.
James Pearson
["anonftponly.patch" (text/plain)]
--- ./modules/mod_auth.c.dist 2010-07-27 01:38:23.000000000 +0100
+++ ./modules/mod_auth.c 2011-03-11 16:47:34.584691594 +0000
@@ -1808,6 +1808,7 @@ MODRET auth_user(cmd_rec *cmd) {
char *denymsg = NULL, *user, *origuser;
int failnopwprompt = 0, aclp, i;
unsigned char *anon_require_passwd = NULL, *login_passwd_prompt = NULL;
+ char *anonftponly = NULL;
if (logged_in)
return PR_ERROR_MSG(cmd, R_503, _("You are already logged in"));
@@ -1926,6 +1927,8 @@ MODRET auth_user(cmd_rec *cmd) {
session.user = NULL;
session.group = NULL;
+ anonftponly = get_param_ptr(TOPLEVEL_CONF, "AnonFtpOnly", FALSE);
+
if (nopass) {
pr_response_add(R_331, _("Anonymous login ok, send your complete email "
"address as your password"));
@@ -1955,6 +1958,12 @@ MODRET auth_user(cmd_rec *cmd) {
pr_cmd_dispatch(fakecmd);
+ } else if (anonftponly != NULL && *anonftponly == TRUE) {
+
+ pr_response_send(R_530, _("Only Anonymous FTP allowed."));
+
+ end_login(0);
+
} else {
pr_response_add(R_331, _("Password required for %s"), cmd->argv[1]);
}
@@ -3049,6 +3058,26 @@ MODRET set_userpassword(cmd_rec *cmd) {
return PR_HANDLED(cmd);
}
+MODRET set_anonftponly(cmd_rec *cmd) {
+ int bool = -1;
+ config_rec *c = NULL;
+
+ CHECK_ARGS(cmd, 1);
+ CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL|CONF_ANON);
+
+ bool = get_boolean(cmd, 1);
+ if (bool == -1)
+ CONF_ERROR(cmd, "expected Boolean parameter");
+
+ c = add_config_param(cmd->argv[0], 1, NULL);
+ c->argv[0] = pcalloc(c->pool, sizeof(unsigned char));
+ *((unsigned char *) c->argv[0]) = (unsigned char) bool;
+
+ c->flags |= CF_MERGEDOWN;
+ return PR_HANDLED(cmd);
+}
+
+
/* Module API tables
*/
@@ -3083,6 +3112,7 @@ static conftable auth_conftab[] = {
{ "UserAlias", set_useralias, NULL },
{ "UserDirRoot", set_userdirroot, NULL },
{ "UserPassword", set_userpassword, NULL },
+ { "AnonFtpOnly", set_anonftponly, NULL },
{ NULL, NULL, NULL }
};
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
ProFTPD Users List <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic