Disable ftp for user

[ViAdCk]

Hello,

One of our clients wants to disable ftp access for his main user account and only allow access through additional ftp accounts created.
Does anyone know how this can be achieved? We run pure-ftp as the ftp server.

Thanks and regards!

 

[zEitEr]

Hello,

You might try and use .ftpaccess file.

I did search for a guide, but found little information. So you might try it yourself: https://www.google.com/search?q=ftpaccess

The guide I found states the file .ftpaccess does not work recursively - it should be tested and verified. I'm under an impression it works recursively at least for ProFTPd.

You will probably need to place it directly under /home/username/ i.e. /home/username/.ftpaccess and disable main FTP account there. And you will need to make the file inaccessible from secondary FTP accounts, otherwise they might overwrite it. I.e. secondary FTP account will need to be pointed one or several folders deeper in the disk structure from the user's homedir /home/username/.

Anyway test it on your end first, I don't guarantee that the directives will work for Pure-FTPd the same way as for ProFTPd.

- Restricting access to specific FTP users

You can prevent access to a directory for specific FTP users (e.g. restricted_user_1 and restricted_user_2) by adding the following code block to an .ftpaccess file in that directory:

<Limit ALL>
DenyUser restricted_user_1,restricted_user_2
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect. <-- TEST IT FIRST

- Allowing access only to specific FTP users

To grant access to a directory only for specific FTP users (e.g. allowed_user_1 and allowed_user_2), you should add the following code block to an .ftpaccess file in that directory:

<Limit ALL>
AllowUser allowed_user_1,allowed_user_2
DenyAll
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect. <-- TEST IT FIRST

 

[Richard G]

One of our clients wants to disable ftp access for his main user account

I don't know the reason, but alternatively you could also just use some impossible strong password for that and just not give the password to anybody. Nobody can use it then.

 

[ViAdCk]

I don't know the reason, but alternatively you could also just use some impossible strong password for that and just not give the password to anybody. Nobody can use it then.

But then the user can't access his directadmin either.

He just want to enable/disable ftp access for security reasons, this is a feature cpanel has for example.

 

[Richard G]

But then the user can't access his directadmin either.

No. I don't know how this is done in Evo skin. But in Enhanced skin, you can change the FTP password and de-select the Directadmin password, just as admin and reseller can and then only the FTP password is changed.

I don't see an option to deselect Directadmin in Evo skin, either it's missing or I don't see it, I normally don't use Evo. Just because of these things.

 

[zEitEr]

But then the user can't access his directadmin either.

The Richard's solution can work for you too. You can create a random long password in DirectAdmin for an user, and never use it. Then create a KEY for the user in DirectAdmin with a desired password. A combination of username/KEY can be used for an authentication in DirectAdmin only, it can not be used for FTP, SSH, SMTP, POP, IMAP.

 

[Richard G]

The Richard's solution can work for you too.

How about what I just wrote, unselecting changing the DA password? Why is that not visible in Evo anymore like in Enhanced?

 

[zEitEr]

How about what I just wrote, unselecting changing the DA password?

In a certain moment one can end with "WTF, why my password does not work any longer?" And then they will reset the password (and directadmin will update it for all related services), that's why I personally don't like this approach.

 

[Richard G]

that's why I personally don't like this approach.

I understand. But it is still possible right? That's why I'm wondering why this option is working, but seems missing from Evo skin (unless I don't look correctly).

 

[zEitEr]

But it is still possible right?

Yes, it is possible to have a different password for a FTP account. One can use CLI/SSH to update/lock a FTP password for an account.

 

[Richard G]

One can use CLI/SSH to update/lock a FTP password for an account.

I can change a main FTP password via Enhanced by de-selecting directadmin password in that page. Did they remove that option in Evo?

 

[zEitEr]

Did they remove that option in Evo?

To answer this question one would need to go through all release notes of Evolution skin. You are welcome)
One thing I'm sure about, is that Evo skin does not have the option on the user level.

 

[johannes]

I cant find differentiated pw change option in Evo, as it was earlier possible to set them different for DA and FTP. Badly. Neither as user in the profile settings, nor as admin, editing the user (on Tab Modify). I want this feature back though..

 

[Richard G]

One thing I'm sure about, is that Evo skin does not have the option on the user level.

Thank you. I just wanted the confirmation that it was not mee just not seeing it through all the options but it's indeed not present.

I want this feature back though..

Yes me2. Because in some cases for admin or reseller this is a nice option.

 

[Richard G]

Just checked the Changelog and only can find in 1.25.1 which says:

Change main ftp account password with DA password. This will keep the 2 passwords in sync. Ability to change the ftp password independently will remain, so the user can still use a different ftp password if he/she wishes. If they want to do that and they change their DA pass, then they'll need to reset the ftp password to the different value.

Ability to change independently will remain, it's not in Evo. Maybe @fln can explain why not, or maybe forgotten to put in there?

 

[johannes]

Hmm, maybe because its possible, to change the main ftp user pw in the ftp management? But then its still unclear to me, if there is a difference, if i set a new user pw, either in the user managment as admin, or as user in the profile edits, if this works just for DA, or for both, DA & FTP.

 

[Richard G]

to change the main ftp user pw in the ftp management?

In Evo that links to the users password section if I'm correct, so that would be both DA & FTP.

 

[johannes]

In Evo that links to the users password section if I'm correct, so that would be both DA & FTP.

then its even more confusing

i hope too, @fln can bring some clarity in this

 

[ViAdCk]

No. I don't know how this is done in Evo skin. But in Enhanced skin, you can change the FTP password and de-select the Directadmin password, just as admin and reseller can and then only the FTP password is changed.

I don't see an option to deselect Directadmin in Evo skin, either it's missing or I don't see it, I normally don't use Evo. Just because of these things.

Thanks for the info. Disabling the main ftp account, just as you can do with additional ftp accounts, would be the best option.

But at least being able to assign a different password to the main ftp account as the enhanced skin offers could be an alternative (a bit sloppy though).

 

[zEitEr]

Hire an admin then, who can disable the FTP account in CLI, or create POST/PRE scripts for it.