topic Re: Restriction on ftp conection in Operating System - HP-UX

Restriction on ftp conection

Arturo Perez del Galleg — Tue, 14 Jan 2003 11:27:17 GMT

Hi all!
It's possible to perform a ftp connection from host1 to host2, but only with user1?
Namely, if the user2 try to connect from host1, the connection is refused; but user2 is able to perform ftp connections from an other host (host3).
TIA

Re: Restriction on ftp conection

Jose Mosquera — Tue, 14 Jan 2003 11:41:25 GMT

Hi,

If you are on 11.0 you need define /etc/ftpd/ftpaccess, inside of this file you must be include users that couldn't be ftp connection, each line in this file must contain just user name. For detailed info:
#man ftpusers

Rgds.

Re: Restriction on ftp conection

Arturo Perez del Galleg — Tue, 14 Jan 2003 11:48:13 GMT

I known this option, but this not resolve my problem, i want to restrict the user1 to perform ftp from a particular host (host1) an only from here to the server (host2).
TIA

Re: Restriction on ftp conection

Jose Mosquera — Tue, 14 Jan 2003 11:56:05 GMT

Hi Again,

Try with de /var/adm/inetd.sec ftp "allow|deny" service configuration.
#man inetd.sec

Rgds.

Re: Restriction on ftp conection

Tim Maletic — Tue, 14 Jan 2003 13:57:57 GMT

I still don't understand your goal. Here are some of the ways I can interpret your goal:

1) You want to make it so that user1 on host1 can ftp to host2, but not to any other host.

This sounds impossible, unless you are severely restricting user1's access to a shell.

2) You want to allow user1 on host1 to use an ftp client, but disallow any other user on host1 from using an ftp client.

Again, this is client-side ftp restrictions, which will be impossible if the user can run a shell (since they could then install their own client, etc.).

3) On host2, you want to allow user1 from host1, but disallow user2 from host1.

As Jose points out, this is accomplished via ftpusers(4).

But this method won't work if you want host2 to accept ftp connections from user2 on host3. If this is what you need, you may be in trouble. I don't see a solution to it off the top of my head, at any rate. wu-ftpd (HP-UX's standard ftp server, as of late) supports denying hosts, and it supports denying users, but I don't think it supports denying specific users of specific hosts. [Someone please correct me if I'm wrong.]

Maybe if you tell us *why* you want to do this, we can be of more assistance.

-Tim

Re: Restriction on ftp conection

Arturo Perez del Galleg — Tue, 14 Jan 2003 14:58:49 GMT

Hi Tim & Jose Mari!
A lot of thanks!
Tim as you says my problem is the point 3 of your exposition.
We want to create an ftp users with restrictions by machine, directory access, etc. for a punctual purpose. But for this test we must to enable the access to our server from an other host out of "habitual network". We want no access from this external hosts with an other user that the specified. We desire to controle this. We have checked ftpaccess, ftpd, ftp an others commands but...
No ideas?
TIA

Re: Restriction on ftp conection

Ken Hubnik_2 — Tue, 14 Jan 2003 15:03:07 GMT

You can allow and deny ftp in /var/adm/inetd.sec file by IP address or hostname.

Re: Restriction on ftp conection

Tim Maletic — Tue, 14 Jan 2003 19:12:38 GMT

Well, if you only want one user on this external host to access your server, create an account for them, and only give that user the password.

If the problem is that your external user's username conflicts with a local user's username, then create a new one for the external user.

You're not talking about anonymous FTP, are you?

Are you worried about restricting access to your server by a mere password? (If so, consider sshd, sftp, and public key authentication.)

I still don't feel I've grasped your problem. Am I getting closer?

Re: Restriction on ftp conection

Arturo Perez del Galleg — Wed, 15 Jan 2003 07:08:35 GMT

OK, i create the username with anonymous ftp or ftp restrictions, but the user has an other proper account (his account) and for this punctual action i don't want he use it from the commented host. The user has two accounts (user1 & user2) and one host (host1) but he must use only the account with restrictions (for this punctual action).
I think that isn't possible.
I don't know it's full explained...
Thanks

Re: Restriction on ftp conection

David_246 — Wed, 15 Jan 2003 12:31:50 GMT

Just to re-capatelize;

Use /var/adm/inetd.sec to deny/allow ip-adresses or subnets for ftp :

ftp allow 1.2.3.4 2.3.4.45-68 host1 host2

Use /etc/ftpd/ftpaccess to set rules :
class local real,guest,anonymous *.domain 0.0.0.0
class remote real,anonymous *
class remote guest /etc/ftpd/ftp_in.allow ## Put in your ip-adres from host1
## Don't know if you can define class --> user1 here.

Use /etc/ftpusers to allow only these users :
user1 Should not be in the file, as he is allowed to ftp!! root should be.

Use /etc/passwd to only allow ftp for this user:
user1:*:1001:401:User1 ftp acount:/ftp/ftp_in:/usr/bin/false

I think these are about the options you have. Maybe this makes it some easier to see what you can and what you can't. I confirm an easier use of allow/deny user/hosts would be preffered.

Regs David

Re: Restriction on ftp conection

Keith Buck — Wed, 15 Jan 2003 13:40:40 GMT

Maybe a bit off topic, but all of these restrictions are available if you configure sftp instead of ftp. You can do configuration by user and by host or a combination. (personally I prefer scp because it's easier to script)

As several of the responses indicate, you may be able to rig something using regular ftp (well, sort of). However, each of these methods fundamentally rely on ip-based authentication (claiming to be user1 from host2 is sufficient to 'prove' that you are user1 from host2). ip-based authentication is fundamentally easy to beat, so if you don't trust the other user on your network to play nicely, then all of your efforts are in vain anyway.

scp/sftp use a fundamentally more secure authentication technique in addition to being more configurable. hp-ux secure shell would need to be installed on host1, host2, and host3, and if you want more details on configuring these, there are lots of people on this forum who can help there too.

Hope that helps

Re: Restriction on ftp conection

Shannon Petry — Wed, 15 Jan 2003 13:47:38 GMT

This functionality is also available with tcp wrappers. It is the big brother to inetd.sec, and allows user@host rules as well as host rules.

I used to use TCP wrappers in HP-UX 10, but this was 3 years ago. Perhaps tcp wrappers has been updated for 11.x of HP-UX.

Regards,
Shannon

Re: Restriction on ftp conection

Arturo Perez del Galleg — Wed, 15 Jan 2003 14:46:23 GMT

Hi all!
Thank you very much!
The functionality Shannon comments, the combination user@host rule, is the solution. It is no easy to implement, but...
Bye!