topic Re: Creating a highly restricted FTP user account in Operating System - HP-UX

Creating a highly restricted FTP user account

Donald Osbourne — Thu, 09 May 2002 18:26:53 GMT

Please advise on the most secure method or steps in creating a user account strictly for the purpose of receiving a weekly file transfer from a remote server. The user should have the following restrictions, security is a real issue:

-Must be password protected
-Must be restricted to its login directory
-Local login should also be highly restrictive
-Unable to execute any primary or privileged commands

Thanks

Re: Creating a highly restricted FTP user account

Ricardo Bassoi — Thu, 09 May 2002 18:37:08 GMT

You need to create a group only for ftp
access at /etc/group.
After you create the group you must add a new user to your system and after this associate this new user with the ftp group at /etc/passwd:
ftpusr:fzWDa.lw6Y11w:204:105::/in/smp/charging/./:/usr/bin/ftpshell

You must to observe that you can restrict
the ftp to the dir /in/smp/charging/./

You also need to configure your ftpaccess file at the /etc path

This user use the shell /usr/bin/ftpshell that has no cmds. You can create a new shell just doing a vi /user/bin/ftpshell and inserting the line exit 0.
You need to change the owner.group to bin.bin
With this shell you cannot execute a login via shell only via FTP

To restrict the user to a path you can install the wu-ftpd that you can find at
http://www.wu-ftpd.org

Hope this help.

Regds,

Bassoi

Re: Creating a highly restricted FTP user account

Sachin Patel — Thu, 09 May 2002 18:40:10 GMT

Hi donald,
use setting 'ftpaccess' config. There is a man page for this.
#man ftpaccess

1. edit the /etc/passwd file by adding users:

ftpguest:adjf+ke:505:125::/home/ftp/ftpguest/./:/usr/bin/false

'.' is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp. In sort he can't performe cd .. from home.

2.
/usr/bin/false will have to be added to the /etc/shells file for shell restriction.
See man(4) shells for further details.

Search forum for Restriction on ftp.

Sachin

Re: Creating a highly restricted FTP user account

S.K. Chan — Thu, 09 May 2002 18:54:09 GMT

This is from Technical DB. Example of creating a ftp account to only allow the user to be in his directory and restrict to only 5 ftp sessions and cannot retrieve system files (eg: /etc/passwd). As you can see you can do your own customization along the way.

1) Make sure you have the latest ftp/ftpd patches

2) Create user via SAM (eg. user= test1 group= none)

3) This user has ONLY ftp access, so it would be wise toc ode the start-up program as /usr/bin/false

4) For the home directory, specify /home//.
test1:qXznDQ1RUwqZ6:115:20:,, :/home/test1/./:/usr/bin/false

**ignore the error with SAM not being able to create a /. directory.

5) All other questions in SAM are as per normal.

6) Ensure that /usr/bin/false is also coded in a file /etc/shells

7) Then edit-create the file /etc/ftpd/ftpaccess to have these lines:

class all test1,guest *
guestgroup none
limit all 5 Any /no-more-ftp-access
noretrieve /etc/passwd

#chmod 444 ftpaccess
#chown bin:bin ftpaccess

Explanation:
line#1 : 'class' is a verb
'all' is a class of users; you can call it anything you like.'guest' is a verb "test1" is the user name '*' is the range of users allowed to ftp into the machine.
You can restrict this further if you want to. Do a man ftpaccess

line#2 : 'guestgroup' is a verb : 'none' is the group name of the users that have been coded via SAM.

line#3 : 'limit' is a verb
'all' as per line#1,the class of users.'5' is the number of ftp sessions; in this caseits five.You can change it to any number of your choice.'Any' , do a man ftpaccess for explanation '/no-more-ftp-access' is a filename that contains a message to be displayed when the limit is reached.

line#4 : types of files to restrict

8) Edit /etc/inetd.conf to add in '-a' argument for ftpd

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

9) # inetd -c (to re-read the configuration file)

10) Create the following subdirecties and files:
a. ~test1/usr
#chown -R bin:bin usr
#chmod 555 usr
b. ~test1/usr/bin
#chown root bin
#chmod 555 bin
#cp -p /sbin/ls ~test1/usr/bin/ls

11) The ~test1/usr/bin/ls allows the use of the 'ls' command in ftp to find out the files that are present in their directory.

Do you test ..

Re: Creating a highly restricted FTP user account

Deepak Extross — Fri, 10 May 2002 09:04:22 GMT

Have you considered using an anonymous ftp account?
'man ftpd' explains how to go about setting up an anonymous ftp account.

Re: Creating a highly restricted FTP user account

Sanjay_6 — Fri, 10 May 2002 13:31:35 GMT

Hi Donald,

You can configure ftpaccess for this user id. This way you can restrict the following,

User can only do an ftp to the system. He cannot do a telnet.
He will be restrted to his home directory only.
You can restrict the commands used by him.
He can upload / download to /from only alloed directories,

Take a look at the thread below on how to setup ftpaccess,

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=4df5f3351cb3447b6b/screen=ckiDisplayDocument?docId=200000055935266

Also do a "man ftpaccess" for more details on the various options and how they can help you in configuring the ftpaccess.

Hope this helps.

Regds