topic Re: ftp-acces in Operating System - HP-UX

ftp-acces

Pieter_5 — Fri, 12 Sep 2003 06:29:10 GMT

Hi,

I would like to give a testuser access to my hp-box. I created a user, but this user has access to the entire machine. I would like to disable telnet for this specific user and I want this user only to be able to ftp to this directory.

Re: ftp-acces

Stefan Farrelly — Fri, 12 Sep 2003 06:35:00 GMT

HP's ftp doesnt allow you to restrict navigation around the box. You need to replace it with a different ftp which can do this;

WU-FTP or ProFTPd;

WU-FTP
ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/wu-ftpd-2.4.tar.gz
http://www.landfield.com/wu-ftpd/
ProFTPd http://www.proftpd.org

As for disabling telnet for this user there are 2 ways;

1. /var/adm/inetd.sec which allows you to disable telnet by an IP address - the one the user uses, but if the user has access to >1 machine then;
2. an entry in the users .profile to check for telnet login, then exit.

Re: ftp-acces

Stanimir — Fri, 12 Sep 2003 06:37:49 GMT

Hi!
The best way to do this is
SAM: Internet Services, Internet security;

Anyway the files,connected with security
of FTP and Telnet are:
/etc/services
/etc/inetd.conf
/etc/ftpusers
and indeed: /etc/passwd

Good luck!

Re: ftp-acces

H.Merijn Brand (procura — Fri, 12 Sep 2003 07:13:29 GMT

What platform is he/she coming from? If he/she is from a windoze box, you can create very secure and separated workspaces with samba (CiFS server) and not wory about ftp.

From 11.00 on, CiFS server is free, and available on the Application CD's. New machines probably even ship with CiFS already installed.

5012-7834 11.00 Appl CD 06-2003 4/4
5012-7838 11.11 Appl CD 06-2003 4/4

Enjoy, have FUN! H.Merijn

Re: ftp-acces

Mike Ingram — Fri, 12 Sep 2003 07:39:21 GMT

There is a file /var/adm/inetd.sec, in which you can specify the IP address of a machine that can or cannot have telnet and/or ftp access tp the host.
There are syntax examples in the file, and I find this works well.

Re: ftp-acces

George E. Holland_1 — Sat, 13 Sep 2003 04:29:17 GMT

You mite try TFTP as this can be locked to a folder and below but not above.

Re: ftp-acces

Bill Hassell — Sun, 14 Sep 2003 01:03:16 GMT

If you are running 11.0 or later, WU-FTPD was added several years ago. For 10.20, you'll need to get a copy from: http://hpux.connect.org.uk/

Search for wu_ftpd.

However, if all you need is ftp and need to disable shell access (ie, telnet), just change the user's shell from /usr/bin/sh to /usr/bin/false. While they will get a login prompt, it will exit immediately. And make sure you add (or edit the existing) /etc/shells with:

/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/rksh
/usr/bin/false

(and any other shell that you may have assigned to users) ftpd requires that a user's shell appear in /etc/shells (man getusershell). Otherwise, ftpd will not allow the user to login.

Re: ftp-acces

Chuck Sims — Wed, 17 Sep 2003 00:56:42 GMT

Aloha Andre,

An easy way to limit login via telnet is to change the user's shell to /usr/bin/false. They can still FTP, but get kicked out when they try to telnet.

Chuck

Re: ftp-acces

Sundar_7 — Wed, 17 Sep 2003 05:08:32 GMT

Hi,

It is possible to restrict the user to his homedirectory (chroot) if you are running 11.X

# groupadd -g 55 ftponly
# useradd -d /home/ftponly -s /usr/bin/notelnet -g 55 -m ftponly
# echo "exit 0" >> /usr/bin/notelnet
# chmod +x /usr/bin/telnet
# mkdir -p ~ftponly/usr/bin
# cp /sbin/ls ~ftponly/usr/bin
# echo "/usr/bin/notelnet" >> /etc/shells
# cd /etc/ftpd
# cp /usr/newconfig/etc/ftpd/ftpaccess .
# vi ftpaccess
..
guestgroup ftponly.
..
#
# chown -R bin:bin ~ftponly
# chmod -R 755 ~ftponly
# vi /etc/inetd.conf
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

# inetd -c

Let me know if this helps

Sundar