topic Re: setting up ftp access in Operating System - HP-UX

setting up ftp access

Peter Gillis — Wed, 19 Mar 2003 02:06:32 GMT

Hi,
opsys=ux 11.00

I need to setup our system so that there is only one user allowed to ftp to our system.

I have read previous forum messages and followed some of the instructions. The following is one particular:

1)load in [PHNE_23949/PACHRDME/English] (or latest ftp/ftpd). This patch resolves a couple of issues with ftpaccess.

2) create a user via SAM (eg. user= test1 group= none)

3) This user has ONLY ftp access, so it would be wise to code the start-up program as /usr/bin/false

4) For the home directory, specify /home//. eg: /home/test1/./ (explanation in man ftpaccess)/etc/passwd looks like test1:qXznDQ1RUwqZ6:115:20:,,,:/home/test1/./:/usr/bin/false **ignore the error with SAM not being able to create a /. directory.

5) all other questions in SAM are as per normal.

6) ensure that /usr/bin/false is also coded in a file /etc/shells

7) then edit-create the file /etc/ftpd/ftpaccess to have these lines: class all test1,guest * <-- line#1
guestgroup none <-- line#2
limit all 5 Any /no-more-ftp-access <-- line#3 noretrieve /etc/passwd core <-- line#4

with #chmod 444 ftpaccess
#chown bin:bin ftpaccess

Explanation:

line#1 : 'class' is a verb 'all' is a class of users; you can call it anything you like. 'guest' is a verb ???test1??? is the user name '*' is the range of users allowed to ftp into the machine. You can restrict this further if you want to. Do a man ftpaccess

line#2 : 'guestgroup' is a verb : 'none' is the group name of the users that have been coded via SAM (see /etc/group to find out what group that has)

line#3 : 'limit' is a verb 'all' as per line#1,the class of users. '5' is the number of ftp sessions; in this case its five. You can change it to any number of your choice. 'Any' , do a man ftpaccess for explanation '/no-more-ftp-access' is a filename that contains a message to be displayed when the limit is reached.

line#4 : types of files to restrict

8) then edit /etc/inetd.conf to add in '-a' argument for ftpd; thus: ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

9) inetd -c (to re-read the configuration file)

10) Create the following subdirecties and files: a. ~test1/usr #chown ???R bin:bin usr #chmod 555 usr b. ~test1/usr/bin #chown root bin #chmod 555 bin #cp -p /sbin/ls ~test1/usr/bin/ls

11) The ~test1/usr/bin/ls allows the use of the 'ls' command in ftp to find out the files that are present in their directory.

12) test to verify

Now no one can ftp to this machine.
CAn some one tell me what it is I missed?

Thanks
Maria.

Re: setting up ftp access

Steven E. Protter — Wed, 19 Mar 2003 02:23:18 GMT

The ftpaccess file is a stop access file. Make sure your one intended user who is supposed to have access is not in that file.

If I understand your information correctly your ftp user is listed which would deny access.

SEP

Re: setting up ftp access

Peter Gillis — Wed, 19 Mar 2003 03:29:06 GMT

Steve, I am confused. If this is a stop access file why is line 1 in the access file all about the username and the guests being the ones allowed to ftp into the machine?

I read in the man ftpaccess that if class is not defined correctly access is denied. Should a 'class' be defined somewhere else, or is it the line in this file starting : class all test1,guest * ?

Is there such a thing as ftp.allow file? where is it supposed to be ?

Hope you can still help me here?
thanks so far.
Maria

Re: setting up ftp access

S.K. Chan — Wed, 19 Mar 2003 03:45:36 GMT

Take the example from this thread instead.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdacea1abbac8d5118ff10090279cd0f9,00.html
Hope this helps ..

Re: setting up ftp access

john korterman — Wed, 19 Mar 2003 10:35:28 GMT

Hi Maria,
point no. 7 of your configuration may not be straight by the book; the man page for ftpaccess prescribes the following syntax for a "class" line:
class class typelist addrglob [ addrglob ... ]
qoute from the manpage:
typelist is a comma-separated list of any of the
keywords anonymous, guest and real.
unqoute
Therefore using test1 there may cause problems.

In order to obtain your obejctive I suggest that you include test1 in a group, in which he is the only member, and then - by ftpaccess - configure that only this group can ftp to the system.
This can be achieved by first including test1 in a new group, e.g. "ftponly"
Then replace the actions under point no. 7 by first copying /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess. Then modify in /etc/ftpd/ftpaccess the existing line:
class remote real,guest,anonymous *

to:
class remote guest *

Near the bottom of /etc/ftpd/ftpaccess there should be a the line starting with guestgroup:

guestgroup ftponly

If not as above, change it into that.
The first change should allow only what is considered a "guest" to ftp to your system. The guestgroup line should enable that a member of ftponly is considered as a "guest".
Then execute inetd -c to re-read the configuration.

regards,
John K.