topic Re: How create user with only FTP access in Operating System - HP-UX

How create user with only FTP access

Abdullah_2 — Sun, 13 Jul 2003 09:25:38 GMT

Dear All,

Hi ,
I would like to create a user with only FTP privilege, so he can not use any application like telnet or any thing else.

I would prefer to create a group called FTP with this privilege but acctually i do not know how to do it?

Kind Regards

Re: How create user with only FTP access

twang — Sun, 13 Jul 2003 10:20:23 GMT

Take a look at the whitepaper from HP:
Setting up restricted user accounts with FTP DocId: KBRC00008355 Updated: 10/30/01 12:24:00 PM

PROBLEM
How can I restric certian users to one directory though ftp?RESOLUTION
The new version of FTP is supplied to HP-UX 11.00 through patch PHNE_14479
and this must be installed on your system. Please check the release notes
provided at /usr/share/doc/RelNotes_newftp.txt for further information on
the enhancements provided by this FTP revision.

There are three kinds of logins provided wu-ftp;
* anonymous FTP
* real FTP
* guest FTP

The focus of this document is how to setup a 'guest' ftp account to get
around the sublogin problems encountered with HP-UX 11.00.

Guest accounts require explicit user entries in the system /etc/passwd
file but performs a chroot to a designated directory, thus maintaining
integrity.

Steps to be followed;

1. Make the edits to the /etc/passwd file

ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false
^^^
- '.' Is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp ftpguest was used as the account name in this example but you
could use any name you like.

2. /usr/bin/false will have to be added to the /etc/shells file.
See man(4) shells for further details

3. Make the edits to the /etc/group file

ftpgroup::125:ftpguest

- Create and set the permissions and ownership for the directory
(/home/ftp/ftpguest) to what suits you best.

4.
Add an entry into the ftpaccess file. This file will most probably have to
be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.

Add a guestgroup entry (in the /etc/ftpd/ftpaccess file) to allow a group
of users to be treated as 'guests'. This entry will correspond to the entry
in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.

# specify which group of users will be treated as "guests".
guestgroup ftpgroup

5. Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to
use the ftpaccess file. Here is an example;

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

You will need to reconfigure inetd by running /usr/sbin/inetd -c to
reread the /etc/inetd.conf file after making the change.

6. Since this is similar to anonymous FTP in the respect that you are in a
chrooted area (the path to / is different than on your system) you will
also have to replicate the /usr/bin and /etc directories. The easiest way
to do this is to use SAM to create an anonymous FTP setup and then replicate
the /etc & /usr/bin directories into your ftp guest root directory. Here
is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory
to your new ftp guest directory. We use the ftpguest user in this example.

cp -R ~ftp/usr ~ftpguest/usr
cp -R ~ftp/etc ~ftpguest/etc

At this point you should have the files and programs needed for your
ftpguest user.

** This is dependent upon where the '.' delimiter has been positioned. If
the delimiter is positioned prior to the ftp username then only the root
directory (/home/ftp) needs to contain a /usr & /etc directory structure.
If the delimiter is placed post the username then each individual user
will require this directory structure.

** NOTE: When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.

7. Another thing I noticed is that you must touch the file /etc/ftpd/ftpgroups.
If you do not, you will see messages in syslog.log indicating that ftpd could
not stat this file.

Re: How create user with only FTP access

Balaji N — Sun, 13 Jul 2003 10:50:25 GMT

hi

this is what we do for ftp only users.

1. create a new user with /usr/bin/passwd as the shell.

2. add /usr/bin/passwd to /etc/shells. ftpd checks this.

3. when the user wants to change his password, he telnets to the system. the system prompts for old password and once he sets the new password the shell exits.

hth
-balaji

Re: How create user with only FTP access

Zeev Schultz — Sun, 13 Jul 2003 11:25:35 GMT

man ftpusers , ftpaccess
also nice feature is to create /bin/noshells
put inside a line like:
echo "Sorry,not a login shell!\n"
exit 0
And use it in /etc/passwd.
Again,this user would be able to use rexec,
which I'd rather disable at all in /etc/inetd.conf.

Re: How create user with only FTP access

Steven E. Protter — Sun, 13 Jul 2003 11:30:49 GMT

I think the too suggestions above are great. I'd like to add two cents of refinement.

By setting the shell at creattion time to the ftp shells or the rsh shell, it is possible to set up a user that can only do ftp and telnet, the two least secure protocols I can think of(passwords across the public Internet in Clear text....eeeekers).

Setting up a system whereby passwords are maintained with a system that transmits these password across the internet in clear text is insecure.

Thy PuTTY program is free and nicely handles ssh(Secure Shell) connections in a windows environment. If you are just starting off, you should consider installing Secure Shell 3.50 in your HP-UX box and at least require the password change process to occur in an encrypted environment.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

Better still would be learning the basics of setting up a secure passord maintenance environment that is integrated with the Apache web server.

User password maintenance can then be done with ssl in an encrypted way.

This search contains interesting information with regards to the web server portion of the question.

http://us-support.external.hp.com/emse/bin/doc.pl/sid=729c1abe0c2f430ce8?todo=search&searchtext=ssl++htaccess+apache&x=20&y=2&searchtype=SEARCH_TECH_DOCS&searchtype=SEARCH_MANUAL&searchtype=SEARCH_FORUMS&searchcategory=ALL&rn=25&presort=rank

As does this paper book:
Practical Unix & Internet Security
Garfinkel & Spafford

Its handed out as part of HP's Practical Network Security Course, which I highly recommend.

SEP

Re: How create user with only FTP access

Caesar_3 — Sun, 13 Jul 2003 19:07:31 GMT

Hello!

Use the chroot that will execute the ftp in the
end.
Made the user home dir with the ftp and
the files that needed like /etc/services
that will have only port for ftp
When user will log in he will automaticly enter
to ftp.

Caesar

Re: How create user with only FTP access

Fragon — Mon, 14 Jul 2003 01:32:34 GMT

Hi,
Create a new user usr01.
Modify the user's default shell to /usr/bin/false in /etc/passwd , last field.
Make a file "/etc/shells" , keep these entries:
/usr/bin/false
/sbin/sh
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh

Then the user can't use telnet but can su.

-ux