# FTP access without shell access



## JayDogg (Apr 10, 2014)

Hello everyone,
         I have been using BSD from more years than I can count but just recently built my first box with a firewall, Apache webserver, SQL server and client and so on. I did this more or less just to learn how to be an administrator and to get much more familiar with shell access and doing everything command line. I have been very happen with my progress but for the life of me I can not seem to get a user to just have FTP without having shell access. So as of right now I'm using ftpd(8) with ftpchroot to lock users in directories and was trying to take away shell access by changing shell to /bin/nologin/ but when I do that `ftp` stops working. Maybe I'm missing a step because when I search around on the internet I see people saying that is the correct way. If anyone could help me out it would be greatly appreciated.


----------



## user222 (Apr 10, 2014)

Since ftp is not encrypted, I use sftp. With the following config bits in sshd_config:


```
Match User fred # this can be set to a group as well
ChrootDirectory /home/fred/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
```
It's now sftp only. When I try to ssh (or scp) to this user account I get:


```
Could not chdir to home directory /home/fred: No such file or directory
This service allows sftp connections only.
Connection to host closed.
```


----------



## SirDice (Apr 10, 2014)

JayDogg said:
			
		

> So as of right now I'm using ftpd(8) with ftpchroot to lock users in directories and was trying to take away shell access by changing shell to /bin/nologin/ but when I do that `ftp` stops working. Maybe I'm missing a step because when I search around on the internet I see people saying that is the correct way.



This is because ftpd(8):

```
The ftpd utility authenticates users according to six rules.
 {...snip...}
           4.   The user must have a standard shell returned by
                getusershell(3).
```

See shells(5) and /etc/shells:

```
# $FreeBSD: stable/9/etc/shells 59717 2000-04-27 21:58:46Z ache $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh
```
Adding /usr/sbin/nologin to /etc/shells should allow ftpd to be used.

Another option is of course to use an FTP daemon that doesn't have this restriction.


----------



## JayDogg (Apr 10, 2014)

Thanks for the reply, here is what I had in /etc/shells:

```
/bin/sh
/bin/csh
/bin/tcsh
/sbin/nologin
```

So I changed it to /usr/sbin/nologin, pretty sure that /usr/ part doesn't matter but worth a try. But I still get the same 530 user error as soon as I try to `ftp` in. One odd thing I did notice is when I go to add a new user here is my list of shell to pick from Shell (sh csh tcsh nologin nologin). See how nologin is listed twice, is that normal? Maybe that has some thing to do with my problem.


----------



## JayDogg (Apr 17, 2014)

So anyone have any ideas why this is not working for me, I double checked /etc/shells/ and everything looks right. I have 
	
	



```
/bin/sh
/bin/csh
/bin/tcsh
/sbin/nologin
```
I still don't understand how I have two `nologin` when I go to add a new user and if I set a user to `nologin` it locks them out with a 501 error

Any and all help would be great


----------

