User Management
Anonymous users
Traditionally there have always been two sets of FTP users, anonymous
users and the rest -- the non-anonymous users. Anonymous users
are typically those from outside your network who visit your site to download
files your site has made available to the public. These users login
to an FTP server with the username anonymous and for common courtesy,
use their e-mail address as their password. The FTP server then gives
them access to a file area set aside for public access.
Non-anonymous users
The non-anonymous users are those who have real accounts on the FTP server
machine (i.e. they have accounts in /etc/passwd).
These users have access to the entire filesystem (because
they have it when they login and use the machine itself), and whose typical
use is just for copying to and from the machine for their personal use.
Restricted users
With the advent of the world-wide-web, it is now common for users to never
need to actually login to an FTP server machine, although a user has a real
account on the machine. These user accounts serve only as a drop-off
point for data files used by other processes on the server machine, such
as an HTTP server. Internet Service Providers (ISPs) often create
user accounts on the server machine, and require that the user use FTP
to manage their web document tree, instead of logging into the machine
directly.
For these types of users, NcFTPd offers a feature called restricted
users, which are users that have a special restriction applied to them.
The most common restriction is to confine users to their home directories,
so they would not be able to use FTP to download /etc/passwd
or upload to /tmp, for example.
As of version 2.8.1 of NcFTPd, all users are restricted to their
home directories by default, but you can change this behavior if you want
a more traditional UNIX FTP setup.
Separate password databases and virtual users
Non-anonymous users and restricted users still require the creation of
a real user account. NcFTPd also lets you create and manage
your own NcFTPd Password Databases whose sole purpose is for FTP
login authentication. You will often create accounts in a password
database that also exist in the system's regular /etc/passwd file,
but the real power and flexibility comes from being able to create additional
accounts that exist only in a NcFTPd password database. Users
that exist in a password database but not the /etc/passwd are
called virtual users.
Reasons you will want to use virtual users:
-
Security: users cannot telnet in using that account.
-
Manageability: Your /etc/passwd is not cluttered with a
large number of accounts that really don't use the machine.
You also don't have to go through the regular setup process of creating
a real user account.
-
Performance: User authentication using the /etc/passwd
degrades with a large number of accounts because the entire file must be
sequentially scanned, while a password database is indexed for speed.
You can use a NcFTPd password database as a replacement or a supplement
for your /etc/passwd. For each domain hosted by the machine,
you can have NcFTPd configured to check different or shared password
databases, with or without the /etc/passwd, and in any order.
Since NcFTPd does not require any supplementary files in the
FTP directory, it's painless to setup a new user -- you just use the
ncftpd_passwd
utility program to add a user to a password database (and make sure that
their directory exists).
Virtual users emulate real users, but by default they are restricted
to their designated directory. This differs from regular users, who
are only restricted if they are a member of a restricted group you create.
Configuring NcFTPd
Now that you understand the various user types that
NcFTPd
supports, you will want to know how to setup the server
for the user types you want.
