2

I would appreciate if there is anybody who can advise me if the following FTP configuration is possible. I need range of read-only users that follow this pattern:

(_[0-9]{15})

e.g., _012345678901234 that will use same password without creating all possible combinations. The use case is the following - we provisioning devices and they are using FTP to download new version of firmware. In the log I can see both username and password used to download files. The main goal is to have device serial number in the log.

I did not find a way to specify wildcard for username. Currently we have anonymous access only, but it's obviously not good enough.

ruruskyi
  • 171
  • 9

1 Answers1

2

In ProFTPD there is no straightforward way to specify a wildcard for a username. However you can use mod_sql to authenticate your users and customize queries used to get user info.

Example of custom queries taken from ProFTPD docs:

SQLAuthenticate users groups usersetfast
SQLUserInfo custom:/get-user-by-name/get-user-by-id/get-user-names/get-all-users
SQLNamedQuery get-user-by-name SELECT "userid, passwd, uid, gid, homedir, shell FROM users WHERE userid = '%U'"
SQLNamedQuery get-user-by-id SELECT "userid, passwd, uid, gid, homedir, shell FROM users WHERE uid = %{0}"
SQLNamedQuery get-user-names SELECT "userid FROM users"
SQLNamedQuery get-all-users SELECT "userid, passwd, uid, gid, homedir, shell FROM users"

In your case get-user-by-name query could look something like:

SQLNamedQuery get-user-by-name SELECT "'%U', passwd, uid, gid, homedir, shell FROM users WHERE userid = SUBSTRING_INDEX('%U', '_', 1) AND SUBSTRING_INDEX('%U', '_', -1) RLIKE '_[0-9]{15}'"

Please note that this is not a tested solution. Just an idea of one possible way how this could be achieved.

grekasius
  • 2,046
  • 11
  • 15
  • In theory with some DNS providers I should be able to define wildcard A or CNAME record to resolve *.ftp.company.com to ftp.company.com or ip address. The question is: Can I configure logging in proftpd somehow to write host name used to access ftp service to the log? I know there would be a problem as I cannot have wildcard host name in /etc/hosts. – ruruskyi Jul 22 '14 at 17:21
  • ProFTPD and FTP for that matter is not aware of hostnames. Read [this](http://www.proftpd.org/docs/howto/DNS.html). – grekasius Jul 22 '14 at 17:35
  • Did you consider using HTTP instead? – grekasius Jul 22 '14 at 17:37
  • Unfortunately HTTP isn't a case, FTP is already in place on embedded devices. Is it possible to define 100,000 aliases for the same ftp user in config file, e.g., _00000, _00001, ... , _99999 ? – ruruskyi Jul 22 '14 at 22:30
  • I'm not aware of any user alias number limit. You can test that fairly easily though. In any case such solution would be a nightmare to manage and wouldn't scale well. I would rather try to utilize `mod_sql` or implement a custom authentication module. – grekasius Jul 23 '14 at 14:02