topic Re: help with ftp server. in Operating System - HP-UX

help with ftp server.

antonio elder prado — Sun, 20 Jun 2004 16:06:08 GMT

Hi, I have read the ftp server builds on this forum. However what I do need is the follow: a. have a ftp for user to log from outside.
b. each user would have his own dirs and can not browser anybody else.
c. I do not have any firewall protection.
d. instead of anonymous I would like each user to have their own login/passwd.
e. chroot is a must to the user's dirs - under ftp.

can somebody give me some light on how to build such server with these specs.

thank you in advance.

./antonio/.

Re: help with ftp server.

Rgomes — Sun, 20 Jun 2004 23:53:31 GMT

Solution:

**Install latest version ftp ( wu-ftpd, software.hp.com).

Solution

Use this procedure to configure the new ftpd:

Note: A user will not have the ability to travel anywhere outside
of his home directory on the system. Setting up a bogus
shell with exit 0 as the contents will cause the connection
of a user to be immediately terminated if the user attempts
to telnet into the system.

1. Configure the ftpaccess file:

a. cd /etc/ftpd
b. cp -p /usr/newconfig/etc/ftpd/ftpaccess .
c. vi ftpaccess. At the bottom of the file there is a guestgroup
directive 'guestgroup ftponly'.
i. Either change that group designation to one you already
have or keep that designation.
ii. If you are keeping the ftponly group, then create that
group on your system.

2. Modify the /etc/inetd.conf file to enable the use of the ftpaccess
file:

a. vi /etc/inetd.conf
b. Add the -a flag to the ftp daemon.
c. ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

4. Make inetd re-read its configuration:

inetd -c

5. Create a bogus shell for users that will only have FTP access to
the system:

a. vi /usr/bin/ftpshell
b. exit 0
c. chmod 555 /usr/bin/ftpshell
d. chown bin:bin /usr/bin/ftpshell

6. Create an /etc/shells file:

a. vi /etc/shells
b. Include these lines in the file:
/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/rksh
/usr/bin/ftpshell

7. Now add a user to the system. Use a group that is 'ftponly' and
make the user's shell /usr/bin/ftpshell.
8. Use SAM to limit the user to his home directory by setting up the
directory in this form:
/home/username/./

Note: The /./ is the important key here. When the ftpd verifies a
user's login, it checks and sees that the user is a member of
the 'guestgroup' ftponly. It then examines the home directory
and, if it sees a /./ in the path, it will then perform a chroot
to that directory. Therefore, when that user FTPs into the
system, their home directory will appear as the / directory.

9. Provide the user with an ls command:

a. cd /home/username
b. mkdir usr
c. mkdir usr/bin
d. cp -p /sbin/ls usr/bin
e. chown -R bin:bin usr
f. chmod -R 555 usr

10. Test to verify.

regards,
Richard

Re: help with ftp server.

Rgomes — Mon, 21 Jun 2004 00:02:11 GMT

1. Under WU-FTPD, you cannot login by userid 'root' by default. If you want to then you will have to remove the user name 'root' from /etc/ftpd/ftpusers file.

2. You can increase security by adding username and corresponding IP address of that user's PC/workstation in /etc/ftpd/ftphosts.

regards,
Richard

Re: help with ftp server.

antonio elder prado — Mon, 21 Jun 2004 11:16:18 GMT

hi guys,

all seems OK, except that I cannot ftp in . when I try this is the message.

Connected to hpqa08.
220 hpqa08.tidalsoft.COM FTP server (Revision 1.003 Version wuftpd-2.6.1 Thu Aug 7 06:14:59 GMT 2003) ready.
Name (hpqa08:root): tunin
331 Password required for tunin.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

from the /var/adm/syslog...>
un 21 09:11:40 hpqa08 ftpd[2040]: FTP LOGIN REFUSED (shell not in /etc/shells) FROM hpqa07.tidalsoftware.com [10.10.20.52], tunin
Jun 21 09:12:10 hpqa08 ftpd[2040]: FTP session closed

tells me that there is no shell on /etc/shells.

but there is...
# cat /etc/shells
/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/usr/bin/ftpshell
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/false
#

and from the /etc/passwd | grep tunin

tunin:SiPAaCcnqjhgg:104:39:tunin chrrot ssh:/new-root/home/tunin/./:/usr/bin/ftpshell

and yes the file exists.
# ls -lt /usr/bin/ftpshell
-r-xr-xr-x 1 bin bin 26 Jun 21 08:46 /usr/bin/ftpshell
#

thanks once again.

ps. this drives me nuts. :)

Re: help with ftp server.

Sridhar Bhaskarla — Mon, 21 Jun 2004 11:28:49 GMT

Hi,

Unless you are running a very old patched version of HP-UX, it's FTP comes with ftpaccess and you can applying the above chroot'ing procedure without wu-ftp.

Try with default ftp. You will need to add "-a" flag to enable the use of ftpaccess.

-Sri

Re: help with ftp server.

antonio elder prado — Mon, 21 Jun 2004 11:48:55 GMT

HI,

out of desperation I did remove the ftp-user from /etc/passwd and did enter "exactly the same line" . and guess what it now works with flaw. pwck comes clean and ftp goes to where it should .

go figure...

thank you all for the help.

./antonio/.

Re: help with ftp server.

clement_10 — Mon, 05 Jul 2004 11:43:24 GMT

apart from the standard ftp, hp has additional software that would be of greate help in you senerio.

you need to get the software apply it.

you need to comment the standard ftp service on the /etc/inetd.conf and use the addon HP FTP server.