I had a client request an anonymous FTP service be configured on their Leopard server. I did this, but had a concern that users with accounts on the server might try to connect. This would be highly undesirable; FTP as we all know, is an insecure protocol. So how to allow anonymous access only, but deny account holders with valid credentials?
I tried to configure the /Library/FTPServer/Configuration/ftpusers and ftpaccess files, but that didn't seem to work. And accounts, actually, are not local to the machine; they're pulled referenced from an external OpenLDAP directory. It seems that tnftpd is not clever enough to pay attention to local Open Directory groups populated with entities from external directory systems.
I thought I could do something clever with SACLs, but it's either allow or deny-by-implication —that is, if I allow everyone access to FTP, as is necessary in this situation, I can't explicitly exclude members of the staff. SACLs don't have a "deny" function (at least as far as I can tell).
Then I thought about adding ACLs to the sharepoints, but again, I can't put people in a deny group called "no_ftp_people" and put the same people in an allow group "access_via_afp". Besides, that's a lot of group management fuss, even with nesting.
Forget about using TCPWrappers and deny 171.64.0.0/14 or using ipfw —there are some users on campus who need anonymous access.
Finally, it dawned on me. I had tried to make a Kerberized FTP service before (and gave up). If I could set the required authentication to Kerberos, all account holders would fail. Only anonymous read-only access would be allowed, and no passwords sent over the tubes.
(Eventually, I want to figure out how to use an external KDC keytab with an FTP service principle on a Mac server, but that's for another day.)
