how do i create an ftp user using ssh

Posted on 2005-04-12
Last Modified: 2008-03-17
I am using pico to connect to my remote server.  How can I create an ftp user with all priveleges to a certain folder which houses my website, so that I can connect through dreamweaver to the files?

Question by:foreverdita
    LVL 12

    Expert Comment

    in order to create a user on a system, you have to have root privileges. do you have the root password for the remote system? also, what kind of machine is it?
    LVL 12

    Expert Comment

    root cannot ssh

    Nor should it.

    Use any other name and give the appropriate permissions.  There is a good reason why root cannot log in to an ssh shell; most of CVS and other development is done using ssh and root is far to dangerous to allow a remote login.

    Even if you have the root password for the remote system, you should not be able to log in, it will be logged and alerted to the root administrator, and you're headed for problems.

    However you do it, using Samba, Webmin, whatever, you should read up on ssh.

    Many of these will allow you to alter root for login, but it is not a good idea.  You can use either the addgroup and adduser command, or KDE with KUser and set up both the group and the user, then direct to whichever folder it is and set it's permissions accordingly.

    For a website, read Apache documentation.  There are hundreds of ways to use the Directory directive, and others, to set access, even to various parts of the website.  Because it is Apache httpd job to do this, it should be done with Apache howto's.  You can cause a login prompt to restricted directories, etc..

    Both https and ftps use ssh to access a secured web site.

    https and ftps should ask for a username and password, always, remember password should be disallowed, always.

    Some tips to keep in mind.
    LVL 12

    Expert Comment

    GinEric - where do you get your information?

    "root cannot ssh"

    Sorry, but this is not necessarily true. The ability to access a system remotely as the root user is determined by the configuration of SSHD.

    "Both https and ftps use ssh to access a secured web site"

    Sorry, but this is absolutely WRONG. https and ftps have NOTHING TO DO with ssh. SFTP uses ssh while https/ftps use SSL.

    "most of CVS and other development is done using ssh"

    Nope. Wrong again. CVS has its own protocol.

    Regardless of your SSHD configuration, Webmin uses the root user by default. You have to go out of your way to turn access fort that account off.

    I'm pretty sure that having only remote access to the machine via ssh (which I'm trying to figure out how pico fits into the mix), you aren't running KDE at all. So, those thoughts aren't helpful.

    And, how is it helpful to make a configuration change to the web server when the author wants a user to have ftp access? Even still, you NEED ROOT PRIVILEGES TO DO THIS.

    People come here for guidance, answers, and useful information. There is little in your post that comes close to any of those three.
    LVL 23

    Accepted Solution

    Please note, GinEric's remarks are very misleading: there is some truth to it, but
    the inaccuracy overwhelms the truth, and indeed you shouldn't need to
    "log in as root" to gain root access via SSH, a standard approach for
    remote administration is what I will describe: root can SSH, but generally
    you will have to start logging in as another user (or at least use RSA authentication)
    for most hosts; there are configurations that prevent root from logging in directly
    (to SSH) and they are becoming popular, but they are non-standard in nature:

    If you have root access, then after logging in as a normal user with ssh,
    when you need to do something as root (like what I will present next)
    type at the command prompt:

    su -

    You will be prompted for the root password.  Enter it at that point.

    Next add the user account you want using  the 'useradd' command

    useradd <username>

    On some Linux systems this will be called 'adduser', or something else,
    but on most popular distributions useradd should work.

    1. Now create a special group for that user...  I am assuming you want
    to create an additional user other than your main one, and you might prefer
    to keep another user as owner (and/or enable other users to write to the directory)

    groupadd <groupname>

    To add the user to the group

    gpasswd -a <username> <groupname>

    Again these commands are non-standard but available on most popular distributions.
    If not, then you can try editing /etc/group    using your favorite text editor, be it nano,
    pico, etc

    2. Change the group ownership of the special directory to that group.

    chgrp groupname /path/to/your/web/directory

    3. Enable write permissions

    chmod g+rw /path/to/your/web/directory

    4. Do steps (2) and (3) for any file in the directory, or if you prefer

    use the -R  option to recursively adjust the permissions of all files
    and subdirectories below the destination

    chgrp -R groupname /path/to/your/web/directory
    chmod -R g+rw /path/to/your/web/directory
    LVL 12

    Expert Comment

    mburdick and mysidia

    If either of you had ever read through, Linux, or tried to ssh to them or CVS, you would know that both are done using ssh.  If either of you ran Linux over the past 20 years, or Unix before that, you would know that root is by default not allowed remote login.  Just because a few amateurs have come along over the past 40 years and altered the basic defaults and access to the root user, does not change the accepted standards.

    Secure Shell and Secure Sockets Layer are interdependencies, unless you break them by using something else, something perhaps less secure.  OpenSSL is the accepted Apache standard and if you looked at the source code you'd see that ssh is tied to Secure Sockets Layer.

    How is it that you tell the public I'm wrong, and then give the same answer "user a different username?"  mysidia "If you have root access, then after logging in as a normal user with ssh,"  that is what I said, it still equates with "login as another user, other than root."  You give the same advice, and then lambast me for giving it, while petting your ego?

    What assumptions lead either of you to believe that he is not using KDE?

    I would suggest that if you're going to give credible advice, there is no need to fabricate opinions that are not conducive to respectful conduct.  This :

    "Please note, GinEric's remarks are very misleading: there is some truth to it, but
    the inaccuracy overwhelms the truth, and indeed you shouldn't need to
    "log in as root" to gain root access via SSH,"

    alone shows a complete contradiction by its author, first he says it's not true, and or misleading, and then he says it's true; what we call, at the Pentagon, a statement of confused credible deniability.

    In the end, there was no need to denigrate anyone else to gain your points.  You both have placed Experts Exchange in a rather bad and cliquish light of common flamethrowing.

    I log into CVS, SourceForge, and plenty of other places using ssh, everyday.  None of them will allow root login.

    LVL 12

    Expert Comment

    Using SSH and requiring SSH are two different things.

    As for root not being allowed SSH access by default - YOU ARE WRONG. In the original releases of Linux that only had telnet services installed, root was allowed to telnet in. When SSH hit the scene, it was the same way. Only in the past few years have distro's eliminated the telnet services by default and have started moving TOWARD a unified front of no root over SSH by default. By and large, root access via SSH as a default is totally dependant on your distribution.

    Let's see. The author specifically stated that the need was to create a user via SSH. Since you have to be reasonably knowledgable about X-Windows, KDE, SSH and port forwarding, VNC, and about thirty other things in order to run KDE apps over SSH, I believe it was a REASONABLE conclusion to draw that KDE was not being used.

    Mysidia's comments about your post are accurate. You don't need to log in as root through SSH. you might be able to, you might not. But SSHD is not allowed *ONLY* for root.

    On another note: "If either of you ran Linux over the past 20 years".  Hmm. I doubt you've been using it that long. In fact, I doubt Linus has been using it that long.

    Your comments are not based in fact. They are based in conjecture, personal experience, and personal preference. And, that's all evidenced by your ranking. When you move up 1500 slots in the expert rankings and approach myself or Mysidia, maybe then I'll give you more credibility.

    I'm done.
    LVL 12

    Expert Comment

    Yes, you're done flaming for the day Mr. Burdick.  And I am quite finished with being the target.  Please refrain from this in future.

    "The author specifically stated that the need was to create a user via SSH."  no he did not.  He asked how to "create an ftp user with all priveleges to a certain folder which houses my website" quite simply, which could have been answered much quicker had the question not been diverted to one of ssh.

    The simple answer was to use KUser, create a group ftpusers and a user within that group having permissions to this isolated directory.  It's also faster than command lines, particularly for newbies.  Examples of using adduser and addgroup, or useradd and groupadd [this too depends on the distribution and is based in the old Unix run system makeuser and other command line commands that I prefer not to list here] also could have been given.  I provided advice on his security practices, that's all, and nearly all professionals will agree with what I said because it is "their" agreed upon policy, e.e., the policy at SourceForge and CVS, and among network administrators.

    If he meant a secure ftp connection was required, again, there was no need to bother ssh as he could simply require that ftps be used.

    Publishing to a website can be accomplished in many ways, even https, which is preferred by some people.

    They all revolve around OpenSSL today.  And that requires ssl, which in turn uses some form of ssh, a secure shell.  The common element being the public and private key pair.  And these are all related, regardless of the argument to the contrary.

    Considering that he or she was using pico and dreamweaver, the answers I gave were oriented toward being done quickly for someone who seemed to be new, and to advise of some major weaknesses in the past practices of other administrators; remote root login has always been a weakness that has been exploited many times.

    The two of you attacked me, openly, and in public, period.

    Am I supposed to allow this?  I don't think so.  The first and last sentences of your first post mburdick were "direct personal attacks" against me.  They had little or nothing to do with the posted question.  mysidia followed your lead in his first sentence, apparently influenced by your remarks.  I have had nothing negative or derogatory to say about either of your opinions or persons.  I wish that you would show others the same kind of respect which is shown to you.

    I don't care about points.  I am here doing research for some of my books.  But it is simply poor behavior and perhaps plagiaristic to gain any advantage in points through the unacceptible practice of attacking others to gain such points.  It's simply bad form [bad manners].  And you thereby have forced people to defend themselves.  That is the normal response to an attacker, to defend oneself.  No one likes being forced into this position.

    However, being forced to defend myself, I do feel some rebuttal to your remarks is necessary, at least so that others won't think your opinion of me is valid.

    Obviously, you do not know who I am.

    The points are rather nice of Experts Exchange, however, they are not to be confused with credentials.  Nor should anyone be judged by them.  If you looked a little deeper, i.e., did your research, you would have seen that while you have gained your points in the last two and one-half years, I have gained half of what you have in one month, more or less.  And that without much effort.  I bring that up only to put a reign on your approach of using personal attacks where they are neither called for nor desired.

    When Linux Torvaalds began work on Linux, I had already finished design on both the world's largest and fastest commercial computer and it's number one Operating System, number one, in the entire world, and was the person most responsible for making it work.  My colleagues, teachers, and University of Pennsylvania tutors were J. Presper Eckert and John Mauchly, whom you may have heard of.  They taught people like Ken Thompson, Dennis Ritchie, and Grace Hopper.  You may also have heard of them.  You may have heard also that they taught most of the big names in computing at M.I.T.  I taught bachelors, masters, and doctors, from M.I.T., Harvard, and the Universitiy of Pennsylvania  and Drexel University, as well as other universities both hardware design and software design.

    While Andrew Tanenbaum may disagree with Linux Torvaalds about some things, they do agree he used minix while creating Linux, and they are not enemies, but professionals who refrain from namecalling.

    Although Linus may have started in 1991 to emulate Unix and Minix, he was not the only one to do so.  Many, many other people had been doing the same thing since easily twenty years earlier.  Linus had one advantage, he was in Helsinki,Finland, where his work progressed without much attention from various copyright and patent owners, who stood in the way of the work of others, especially in the United States and the rest of Europe.  Indeed, Eckert and Mauchly themselves had at least once been railroaded by the corporations that did not want to see any such thing as Open Source, namely, the U.S. Army and its "friendly" corporate companions.  But this did not detract others from developing Operating Systems equal to Linux, Unix, and Minix.  And C itself was an emulation of Algol, according to Dennis Ritchie himself.

    According to Thompson, Unix was an emulative effort of the Eckert and Mauchly MCP [Master Control Program], with all of its varied structures, including shells and command line and other interpretors.  When the two were combined, Unix and C, as any version of gcc and Linux, they were an emulation of the work of the original teams at the Moore School of Engineering at the University of Pennsylvania.  These teams knew full well about the attempts to squash this "open thought, Open Source" approach of the professors because they had been forced to resign for not signing over the patents for Eniac to the Army.

    I could cite many more, also colleagues, inventors of things from styrofoam to lasers.  All of whom had problems with the U.S. government, and especially its army, on who owned the rights to the ideas that individual inventors had authored.

    To thwart these attempts, many inventors sought double protection by copyrighting their respective writings on these so-called patentable ideas.  Copyright supercedes and pre-empts patent law if the copyright existed before the patent.  Copyright is granted to the original author.  Original Author Copyright and Patent is required to be by a human being, as collectives, corporations, and other non-human entities do not enjoy Constitutional protection because it is written for human beings and individuals.  This was the wisdom of the Founding Fathers in Philadelphia, Pennsylvania, where the country was founded and the computer invented.

    It is also where both computer hardware and software began.

    Because of the inherent desire for Freedom Of Expression and open discussion and exchange of ideas, the people here support the Open Source concept.  And they do so without attacking and antagonizing others.  Perhaps it is the Quaker influence of Friends here that has developed their openness to others, but it is tradition here to respect others, and refrain from denigrating and attacking them on a personal basis.  Manners and professional conduct are expected here.  The worse thing you can probably do to a Philadelphian is to imply or insinuate that they are either stupid or ignorant, because they are not.  And you never know who you may be talking to or talking about, do you?

    Please do not make such personal attacks in future, try to refrain from oneupmanship, and show some respect.

    Think before you write, and reread what others say so that you understand it before replying.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
    The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. Once you open the link you will see …
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now