proFTPd, shells and nobody

I’ve been working with proFTPd recently with a view to using it at work for our main FTP server. I’ve been really impressed with its ease of configuration. I had it running with TLS authentication in about 20 minutes after I got the basic config setup and that included reading the doco.

I’ve found a couple of little “gotchas” that I thought I would share.

The first is one I’ve known of old but it often catches the unwary. If you are using real user accounts for your FTP login then it is quite common to set the user’s shell to be /usr/bin/false (it’s last field in the /etc/passwd file). This is so that you can’t actually logon with say telnet as that user. .

However /usr/bin/false needs to be added to /etc/shells to make it a valid login shell. Without this when you try to ftp as a user that has a shell of /usr/bin/false you’ll get a “530 Login incorrect. Login failed.” regardless of whether you get the password right or not.

The second gotcha was a new one on me. I decided to try proftpd in standalone mode and for this I took the default config options of a User of nobody and and a group of nogroup.

Now on HP-UX the user “nobody” has a UID of -2 which as mentioned in the doco causes problems so I changed it to a large number out the way of the other UIDs in /etc/passwd. I chose 30000.

So now I could run proftpd ok but when I gave it the HUP kill signal to get it to re-read the config it died and left a message in syslog saying “Fatal: User: Unknown user ‘nobody’, ” even though when I restarted the daemon it ran perfectly well as user nobody.

The solution was to use a smaller value in /etc/passwd for “nobody” , namely 3000 and now I can send a HUP to the daemon and it re-reads its config without any problems.