Mac OSX Server FTP Server Administration

FTP Only Accounts Under Mac OS X

The following howto describes how to set up ftp only accounts using Apple Mac’s built in ftp server (lukemftpd).

This outline requires you to use the terminal, NetInfo Manager and have admin privileges on the machine in question.

Warning: You can muck things up quite seriously using NetInfo Manager. At the very least make sure you have a recent, full back-up of the machine you’re planning to setup before going any further.

To create ftp only accounts we need to:

1. Create an ftp login shell
2. Restrict our prospective ftp user to their folder
3. Create the user account
4. Create a folder for the new user
5. Give the user a password

Create An FTP Login Shell

To create an ftp login shell we need to copy or link /sbin/nologin to /sbin/ftplogin. We’ll create a symbolic link from /sbin/nologin to /sbin/ftplogin. To do this:

1. Fire up Terminal
2. Type “sudo ln -s /sbin/nologin /sbin/ftplogin” (without the quotes)
3. Hit return
4. Type in your admin user’s password when prompted

Now we need to add the new “shell” to the list of shells available to the system. To do this we need to add “/sbin/ftplogin” to the list of shells given in the file found at /etc/shells. In Terminal:

1. Type “sudo pico /etc/shells”. This’ll open up the file “shells” in a simple text editor in Terminal
2. Hit return
3. Type in your admin user’s password if prompted
4. Add the string “/sbin/ftplogin” (without the quotes) on a new line at the end of the list of shells available. This’ll give you a final list similar to:

   /bin/bash
   /bin/csh
   /bin/sh
   /bin/tcsh
   /bin/zsh
   /sbin/ftplogin

5. Type ctl + “o”. That’s the letter “o” while holding down the control key
6. Hit return
7. Type ctl + “x” to eXit Pico

Restrict User To Their Folder

We’re setting this up now so that as soon as the user we’re creating gains access to our machine, they’re restricted to their log-in or root folder. All we have to do is create the file /etc/ftpchroot if it doesn’t exist and then add the prospective user’s username to the file.

1. In Terminal, type “cd /etc” (without the quotes. From here on in, I’ll assume you’re ignoring the quotes)
2. Check to see whether the file “ftpchroot” exists. If it doesn’t, type “sudo touch ./ftpchroot” and give you admin password if prompted for it

Now we need to add the username to the created file. Using pico:

1. In Terminal type “sudo pico ./ftpchroot”. This’ll open up the file “ftpchroot” in a simple text editor in Terminal
2. Type in your prospective ftp user’s username. Ours is “fred”. For safety, make the username all lowercase letters only – although we’ll let you have the underscore (“_”) too.
3. Type ctl + “o”. That’s the letter “o” while holding down the control key
4. Hit return
5. Type ctl + “x” to eXit Pico

Create User Account

We do this in NetInfo Manager. I’m going to talk you through doing this the long winded way – but once you’ve got one account set-up, I’d suggest you duplicate an existing account and modify it as appropriate.

1. Fire up NetInfo Manager
2. At the bottom of the pane, click the little lock symbol and supply your admin username and password to unlock NetInfo Manager
3. In the lefthand column, select “/”
4. In the middle column select “users”
5. Click the “New” icon at the top of the pane. This will create a new user called “new_directory”.

Now we need to modify this user account to give it the properties we’re after. Some of these properties will depend on your setup and how you want to administer your machine. We’ll use some reasonable settings but you may want to change these.

Before we go further, we do need to check what the next available user id (uid) is. To do this, click through your users in NetInfo Manager (ignoring the system users if you know what these are) making a note of the highest uid. In my case it’s 503. This means that my next user is going to be 504. Alternatively, start a new series for ftp users starting at 601.

Having done this, with the user “new_directory” selected in NetInfo Manager:

1. Select the “name” property in the bottom half of the pane. Double click on the Value “new_directory” to select it and type in your username. In our example our username, as added to the ftpchroot file is “fred” – so that’s what we’ll type here.
2. Create a new property by clicking in the “New” icon at the top of the pane. This will create a new property called “new_property”. Change the property value to “uid”. Now change its value “new_value” to the next available uid – or, if you’re starting a new series, 601.
3. Add a new property for the group id – “gid”. We’ll set this to “20″. i.e. Create the new property, select “new_property” and type “gid”. Select “new_value” and type “20″.
4. Follow this procedure to add:
   

   Property		Value(s)
   expire		0
   change		0
   shell		/sbin/ftplogin
   home		/Users/<username>

   Where the text “<username>” in the last property (“home”) is the username of the user you’re adding. In our example “fred”. So the value for the property “home” would be “/Users/fred”. This means the bottom of your NetInfo Manager pane should end up looking something like:

   Property		Value(s)
   home		/Users/fred
   shell		/sbin/ftplogin
   change		0
   expire		0
   gid		20
   uid		504
   name		fred

   2006-04-18: We’ve been contacted by Esben Sørensen and Antoine Durr over the weekend, both of whom make the observation that “realname” needs to be added to the properties listed here. i.e. we should end up with:

   Property		Value(s)
   home		/Users/fred
   shell		/sbin/ftplogin
   change		0
   expire		0
   gid		20
   uid		504
   name		fred
   realname		Fred

   So, add the “realname” property “else the account’s system preference pane will henceforth come up blank due to an incorrect/invalid realname” (Antoine Durr).

   Thanks to Esben and Antoine.

5. Make sure you remember the uid as you’ll need it in a sec.
6. Close NetInfo Manager saving and confirming the save as you go.

Create A User Folder

We need to create a user folder and then change its ownership (and permissions) to reflect those of the newly created user.

1. In Terminal, type “cd /Users”. Typing “ls” will give you a list of all the users on your machine
2. Type “mkdir <username>” where <username> is the new user’s username. We’ll be typing “mkdir fred”
3. Change the owner of this file by typing “sudo chown <uid>:20 ./<username>. Where <uid> is the uid for the user you added (and made a mental note of) and <username> is the username…. OK. You’ve got the idea. Oh. If your prompted for a password, give your admin password.
4. Change the permissions of this file so that we can all access it (if you know what you’re doing here, set the permissions as you see fit). “sudo chmod 777 ./<username>”

Now we’re on the home stretch.

Give The User A Password

The next step is to give the newly created user a password. To do this, in Terminal:

1. Type “sudo passwd <username>”. (So we’ll be typing “sudo passwd fred”).
2. Type in the new password at the prompt.
3. Retype it as prompted.

NAT?

If you’re behind a router or firewall which does Network Address Translation (NAT), there’s one more thing. Passive FTP requires the machine offering the FTP service to return its IP address and a port on which it’ll be listening. If you’re on a NATed network, it’s likely that the FTP server is going to return its internal IP number rather than the external address you’d prefer it to give. To get around this:

Create the file /etc/ftpd.conf

Add the line “advertise all <host>” where <host> is either the host name or external IP address for the FTP server.

Done

Restart the FTP server to ensure that all the caches are flushed and then see whether you can log-in via ftp as the new user. The easiest way of doing this is to turn FTP off and then on again in System Preferences -> Sharing.