topic Re: Secure FTP server in Operating System - HP-UX

Secure FTP server

Mike Manley — Wed, 29 Nov 2000 20:16:08 GMT

Have an S800 HP-UX 11.0 system being set up as a dedicated FTP server. Have converted it to a Trusted System. Unfortunately, after adding a new user, they cannot login (using FTP) until they have Telneted in and changed their password. Is there any simple way to add a new FTP user, assign them a password, and then let them login using FTP only? Or will I have to convert back to an unTrusted System?

Re: Secure FTP server

Rita C Workman — Wed, 29 Nov 2000 20:32:33 GMT

I set up a dedicated server for FTP only access.
First I set the inetd.conf to log everything and to access the ftpaccess file (ftpd stream ~ -l -a) and don't forget to set the netdaemons for this INETD_ARGS I think.
Then I set the /var/adm/inetd.sec to only allow ftp.

Then to get creative I created my users, changed the /etc/passwd file for each user to (chroot) to a sub directory: uid:*::::/home/user/subdir/./:/usr/bin/ksh
Under the users home directoru I created and copied
/home/user/usr/bin/ls from /sbin/ls
/home/usr/usr/bin/pwd from /usr/bin/pwd

Then I copied from /usr/newconfig/etc/ftpd/ftpaccess
to /etc/ftpd/ftpaccess and edited the file according to what I wanted done. Put them all into a sort of guest group with limited rights.

Basically, it's pretty much the same setup as what is mentioned in HP's Installing & Administering Internet Services configuration of an Anonymous FTP - except that I set my ftpaccess file to stop anonymous ftps and only allow actual logins...By doing the above it kept these outside vendors from playing around and limited them to their home directory and only their files. Hope I didn't miss anything, I did this once...awhile back.

regards,

Re: Secure FTP server

Mike Manley — Wed, 29 Nov 2000 20:57:56 GMT

Thanks for the response. I was very paranoid when constucting the server. The system is built following the guide "Building a Bastion Host Using HP-UX 11" by Kevin Steves. However, the Trusted System's methodology for password management (requiring an initial password change by the user) complicates user administration terribly. What I am looking for is a way to add an FTP user account without them having to first Telnet in and change their password.

Re: Secure FTP server

Maureen Gunkel — Wed, 29 Nov 2000 21:47:10 GMT

Greg:
If you are supplying them with the login/password, perhaps you can do the initial login and change their password before notifying them that their account is active.
Just a thought.

Re: Secure FTP server

Mike Manley — Wed, 29 Nov 2000 22:41:59 GMT

Thanks for the input. That thought had crossed my mind. Part of the account setup would be to have the Administrator Telnet in and do the initial password change for them. Short of converting from a Trusted Server to an unTrusted server (which I don't want to do) that seems to be the only answer.