This post originated from an RSS feed registered with Python Buzz
by Phillip Pearson.
Original Post: UNIX hackery: Modifying lukemftpd for ftp hosting that doesn't suck
Feed Title: Second p0st
Feed URL: http://www.myelin.co.nz/post/rss.xml
Feed Description: Tech notes and web hackery from the guy that brought you bzero, Python Community Server, the Blogging Ecosystem and the Internet Topic Exchange
My project for tonight is to modify lukemftpd (the FreeBSD FTP server; see also lukemftpd source) to make it useful for hosting FTP for web hosting farms.
All the FTP servers I've looked at process logins using the system password file or whatever method is used for validating interactive user logins. I don't really like this, because FTP usually requires a plaintext password to be transmitted, so if the FTP password is the same as the user's login password, one snooped FTP login can reveal a user's login details and allow an attacker to obtain an interactive session over SSH.
So ... I'm modifying lukemftpd to let you specify a /etc/passwd-like file that will be used to validate logins.
The result of this will be that you'll be able to have users who don't exist on the host system but are able to log in over FTP, and will be chrootable to wherever you like. So, for example, you'd be able to create a user just for Blogger. That user would be chrooted to the /www/root/blog/ directory, and would have a password that won't permit access to any other system services. This greatly reduces the harm in giving Blogger your FTP login name and password.
Previous Topic
