Using ncftpd_passwd
The ncftpd_passwd utility program is used to create and modify
NcFTPd Password Databases. These databases are not regular
text files like /etc/passwd, so a separate program is needed to
manage them. The reason the files are in a binary format instead of human-readable
format is because one of the advantages of using a file other than /etc/passwd
is for performance -- an indexed database file is very efficient to read,
while the /etc/passwd file must be scanned sequentially.
A database file can handle a large number of users without any noticeable
performance degradation.
The files themselves are required to be owned by root and have
mode 0600 (no read or write permission for group nor public).
This is required because the databases contain the encrypted password.
Having the encrypted password publicly available can be a security risk,
which is why most modern UNIX systems have moved the
encrypted passwords out of the /etc/passwd file into a separate
file (often called the shadow password file).
You can still use ncftpd_passwd as non-root, but NcFTPd
will not use password database files until they conform to the requirements
listed above.
Creating and removing databases
To create a database you simply use the utility with the add user operation
described below. The database file will be created for you automatically
if it did not exist. To delete a database, you can simply remove
it with /bin/rm.
Record format
The user entries are identical to the lines in the /etc/passwd
file with one exception: the group field is a comma-delimited list of group
IDs. Therefore, the records look like this:
username:password:UID:GIDs:Real Name:directory:shell
Example:
mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike
Gleason:/home/mgleason:/bin/ksh
This user has user ID 500, home directory of /home/mgleason, primary
group ID of 600, and membership in supplementary group IDs 700, 701, and
702.
Important:
When this user logs in, he will have the actual UNIX
privileges associated with user ID 500 and group IDs 600, 700, 701, 702.
Even though the user does not exist in the /etc/passwd file, to
the system this user can modify anything associated with those privileges.
Adding users
To add a user, run the program specifying the database file with the -f
flag, and the complete user record specified by the -a flag.
Since the user record may have whitespace in it, use your shell's quote
characters appropriately.
Example 1: Add the mgleason user above, into a
database named /usr/local/etc/ncftpd/pwdb/passwd.db.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db
-a "mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh"
It is inconvenient to use some other program to create the encrypted password
based off of the cleartext password, so you can use the -c flag
to tell the utility to encrypt the contents of the password field for you
before adding the record.
Example 2: Add the mgleason user above, setting
the password to secret.
root# ncftpd_passwd -f /us.../passwd.db
-c -a "mgleason:secret:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh"
If you want to create a user whose user ID is identical to an existing
user in the /etc/passwd file, you may use that user's name instead of manually
look up the user ID. Similarly, you may substitute group names for group
IDs and the utility will look them up for you.
Example 3: Add the mgleason user above, with user
and group name replacement.
root# ncftpd_passwd -f /us.../passwd.db
-a "mgleason:75hv0xCjznz1U:mikegl:users,admin,dev,ops:Mike Gleason:/home/mgleason:/bin/ksh"
Changing users
Modifying a user entry is the same as adding a new one, except you need
to use the update flag (-u), instead of the add flag (-a).
Example: Change the password for mgleason to myxlplxx
(using the -c flag also).
root# ncftpd_passwd -f /us.../passwd.db
-c -u "mgleason:myxlplxx:mikegl:users,admin,dev,ops:Mike Gleason:/home/mgleason:/bin/ksh"
Querying users
To print the record for a user, specify the user name with the -q
flag along with the database.
Example: Query mgleason's record.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -q mgleason
User: mgleason
Encrypted password: 75hv0xCjznz1U
UID: 500
GID: 600
Supplementary GIDs: 700, 701, 702
GECOS: Mike Gleason
Home directory: /home/mgleason
Shell: /bin/ksh
Deleting users
To remove a user's record, specify the user name with the -d flag
along with the database.
Example: Delete mgleason's record.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db
-d mgleason
Printing the entire database
You may use the export flag (-e) to convert a database into a
textual format.
Example: Dump the entire passwd.db database.
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb.db -x
pgleason:ldDbXYr308x.w:502:600,700:Patrick Gleason:/home/pgleason:/bin/tcsh
jgleason:OvHSMCPLgL6bA:501:600:Jimmy Gleason:/home/jgleason:/bin/bash
mgleason:75hv0xCjznz1U:500:600,700,701,702:Mike Gleason:/home/mgleason:/bin/ksh
Importing records
You can add records in batch mode by creating an import file and using
the import flag (-i). You can also use the -c flag
and user name and group name replacement when you import the records.
Example:
root# cat new.txt
mmgleason:unUuvgMaz/h76:696:33,31:Michelle Gleason:/home/mmgleason:/bin/ksh
ccw:cohBaSYXLIMZ2:296:37,32:Dawn Gleason:/home/ccw:/bin/ksh
dgleason:vFSZRNvPk4qFI:894:34,26:Dani Gleason:/home/dgleason:/bin/ksh
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db -i new.txt
Importing the /etc/passwd file
You may elect to not use the /etc/passwd at all in favor of using
just password databases, but you may want to load all the users from it
into a database. When you use the special -I flag, the /etc/passwd
file is imported. The special treatment is that the encrypted passwords
are taken from the shadow password file (if needed), and the group field
is created from the /etc/group file.
Example:
root# ncftpd_passwd -f /usr/local/etc/ncftpd/pwdb/passwd.db
-I
Tips
-
For sites with a large number of users, use a password database for performance.
-
For small sites with no need for virtual users, use /etc/passwd
instead of a password database.
-
You may share password databases for different domains.
-
Avoid using too many databases in your passwd configuration option
line in your domain.cf file to prevent unwanted disk accesses.
-
You can share a user ID for restricted virtual users whose directory trees
do not overlap. You may want to create a real user named virtual
in the /etc/passwd file, and use that same user ID over and over
again for your virtual users.
-
Virtual users improve system security by removing the threat of that user
ID being able to really login. See the chapter on User
Management for more information about virtual users.
- You can modify the databases while NcFTPd is running, and the
changes you make take effect immediately for new logins.
