Page 139
where <n> is the number of attempts. For example, the following line disconnects a user from the FTP server after three failed attempts:
loginfails 3
You might find it convenient to be able to share files with other users via FTP without having to place the file in a 100 percent public place or having to give these users a real account on the server. The clients use the SITE GROUP and SITE GPASS commands so that they can change into privileged groups that require passwords.
For your FTP server to support this capability, you need to set the private flag using the command
private <switch>
where <switch> is either the string YES to turn it on or NO to turn it off.
Because you need to require passwords for these special groups, you need to use the /etc/ftpgroups file. The format of an access group in /etc/ftpgroups is
access_group_name:encrypted_password:real_group
where access_group_name is the name that the client uses to reference the special group, encrypted_password is the password users need to supply (via SITE GPASS) to access the group, and real_group is the actual group referenced in the /etc/group file.
| TIP |
To create the encrypted_password entry, use the UNIX crypt function. To make generating the encrypted password easier, use the following Perl script:#!/usr/bin/perl print "Enter password to encrypt: "; chop ($password=<STDIN>); print "The encrypted password is: ",crypt($password,$password); |
It is often useful to provide messages to FTP users when they connect to your site or specify a special action. These commands allow you to specify these instances as well as the corresponding messages. Using them is a great way to make your site self-documenting.
The banner command allows you to display a sign onscreen before the client has to provide a login and password combination. The format of this command is
banner <path>
Page 140
where <path> is the full pathname of the file you want to display. Consider this example:
banner /home/ftp/.banner
The email command allows you to specify the site maintainer's e-mail address. Some error messages or information requests provide the information given in this line on demand. The default value in the /etc/ftpaccess file is root@localhost.
The format of the email command is
email <address>
where <address> is the full e-mail address of the site maintainer.
Creating an e-mail alias "FTP" that forwards to the system administrators is generally good practice. Providing this kind of information in the sign-on banner is also a good idea so that users know whom to contact if they cannot log in to the system.
The message command allows you to set up special messages to be sent to the clients when they either log in or change into a certain directory. You can specify multiple messages. The format of this command is
message <path> <when> {<class> ...}
where <path> is the full pathname to the file to be displayed, <when> is the condition under which to display the message, and <class> is a list of classes to which this message command applies.
The <when> parameter should take one of two forms: either LOGIN or CWD=<dir>. If it is LOGIN, the message is displayed upon a successful login. If the parameter is set to CWD=<dir>, then the message is displayed when clients enter the <dir> directory.
The <class> parameter is optional. You can list multiple classes for a certain message. This capability is useful if you want only certain messages going to anonymous users and so on.
The message file itself (specified by <path>) can contain special flags that the FTP server substitutes with the appropriate information at runtime. These options are as follows:
| Option | Description |
| %T | Local time |
| %F | Free space in the partition where <dir> is located |
| %C | Current working directory |
| %E | Site maintainer's e-mail address (specified by the email command) |
Page 141
| Option | Description |
| %R | Client hostname |
| %L | Server hostname |
| %U | Username provided at login time |
| %M | Maximum number of users allowed in the specified class |
| %N | Current number of users in specified class |
Remember that when messages are triggered by an anonymous user, the message path needs to be relative to the anonymous FTP directory.
An example message command is
message ./.toomany_anon LOGIN anonfolks
where the file ./.toomany_anon contains
Sorry %R, but there are already %N users out of a maximum of %M users in Âyour class. Please try again in a few minutes. The FTP Administrator (%E)
If the limit of 25 users is reached at this site, for example, the client sees a message similar to the following:
Sorry, technics.domain.com, but there are already 25 out of a maximum Âof 25 users in your class. Please try again in a few minutes. The FTP Administrator (ftp@domain.com)
The readme command allows you to specify the conditions under which clients are notified that a certain file in their current directory was last modified. This command can take the form
readme <path> <when> <class>
where <path> is the name of the file to alert the clients about (for example, README), <when> is similar to the <when> in the message command, and <class> is the classes for which this command applies. The <when> and <class> parameters are optional.
Remember that when you're specifying a path for anonymous users, the file must be relative to the anonymous FTP directory.
As with any complex network service, security quickly becomes an issue. In order to contend with possible threats, tracking connections made along with the corresponding commands is a necessity. The following commands allow you to determine how much, if any, logging should be done by the server software.