HPE Community
Operating System - HP-UX
1832649 Members
2934 Online
110043 Solutions
New Discussion

Creating a highly restricted FTP user account

 
Donald Osbourne
Occasional Advisor

‎05-09-2002 11:26 AM

‎05-09-2002 11:26 AM

Creating a highly restricted FTP user account

Please advise on the most secure method or steps in creating a user account strictly for the purpose of receiving a weekly file transfer from a remote server. The user should have the following restrictions, security is a real issue:

-Must be password protected
-Must be restricted to its login directory
-Local login should also be highly restrictive
-Unable to execute any primary or privileged commands

Thanks
0 Kudos
Reply
5 REPLIES 5
Ricardo Bassoi
Regular Advisor

‎05-09-2002 11:37 AM

‎05-09-2002 11:37 AM

Re: Creating a highly restricted FTP user account

You need to create a group only for ftp
access at /etc/group.
After you create the group you must add a new user to your system and after this associate this new user with the ftp group at /etc/passwd:
ftpusr:fzWDa.lw6Y11w:204:105::/in/smp/charging/./:/usr/bin/ftpshell

You must to observe that you can restrict
the ftp to the dir /in/smp/charging/./

You also need to configure your ftpaccess file at the /etc path

This user use the shell /usr/bin/ftpshell that has no cmds. You can create a new shell just doing a vi /user/bin/ftpshell and inserting the line exit 0.
You need to change the owner.group to bin.bin
With this shell you cannot execute a login via shell only via FTP

To restrict the user to a path you can install the wu-ftpd that you can find at
http://www.wu-ftpd.org

Hope this help.

Regds,

Bassoi
If you never try, never will work
0 Kudos
Reply
Sachin Patel
Honored Contributor

‎05-09-2002 11:40 AM

‎05-09-2002 11:40 AM

Re: Creating a highly restricted FTP user account

Hi donald,
use setting 'ftpaccess' config. There is a man page for this.
#man ftpaccess

1. edit the /etc/passwd file by adding users:

ftpguest:adjf+ke:505:125::/home/ftp/ftpguest/./:/usr/bin/false

'.' is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp. In sort he can't performe cd .. from home.

2.
/usr/bin/false will have to be added to the /etc/shells file for shell restriction.
See man(4) shells for further details.

Search forum for Restriction on ftp.

Sachin

Is photography a hobby or another way to spend $
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-09-2002 11:54 AM

‎05-09-2002 11:54 AM

Re: Creating a highly restricted FTP user account

This is from Technical DB. Example of creating a ftp account to only allow the user to be in his directory and restrict to only 5 ftp sessions and cannot retrieve system files (eg: /etc/passwd). As you can see you can do your own customization along the way.

1) Make sure you have the latest ftp/ftpd patches

2) Create user via SAM (eg. user= test1 group= none)

3) This user has ONLY ftp access, so it would be wise toc ode the start-up program as /usr/bin/false

4) For the home directory, specify /home//.
test1:qXznDQ1RUwqZ6:115:20:,, :/home/test1/./:/usr/bin/false

**ignore the error with SAM not being able to create a /. directory.

5) All other questions in SAM are as per normal.

6) Ensure that /usr/bin/false is also coded in a file /etc/shells

7) Then edit-create the file /etc/ftpd/ftpaccess to have these lines:

class all test1,guest *
guestgroup none
limit all 5 Any /no-more-ftp-access
noretrieve /etc/passwd

#chmod 444 ftpaccess
#chown bin:bin ftpaccess

Explanation:
line#1 : 'class' is a verb
'all' is a class of users; you can call it anything you like.'guest' is a verb "test1" is the user name '*' is the range of users allowed to ftp into the machine.
You can restrict this further if you want to. Do a man ftpaccess

line#2 : 'guestgroup' is a verb : 'none' is the group name of the users that have been coded via SAM.

line#3 : 'limit' is a verb
'all' as per line#1,the class of users.'5' is the number of ftp sessions; in this caseits five.You can change it to any number of your choice.'Any' , do a man ftpaccess for explanation '/no-more-ftp-access' is a filename that contains a message to be displayed when the limit is reached.

line#4 : types of files to restrict

8) Edit /etc/inetd.conf to add in '-a' argument for ftpd

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

9) # inetd -c (to re-read the configuration file)

10) Create the following subdirecties and files:
a. ~test1/usr
#chown -R bin:bin usr
#chmod 555 usr
b. ~test1/usr/bin
#chown root bin
#chmod 555 bin
#cp -p /sbin/ls ~test1/usr/bin/ls

11) The ~test1/usr/bin/ls allows the use of the 'ls' command in ftp to find out the files that are present in their directory.

Do you test ..

0 Kudos
Reply
Deepak Extross
Honored Contributor

‎05-10-2002 02:04 AM

‎05-10-2002 02:04 AM

Re: Creating a highly restricted FTP user account

Have you considered using an anonymous ftp account?
'man ftpd' explains how to go about setting up an anonymous ftp account.
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎05-10-2002 06:31 AM

‎05-10-2002 06:31 AM

Re: Creating a highly restricted FTP user account

Hi Donald,

You can configure ftpaccess for this user id. This way you can restrict the following,

User can only do an ftp to the system. He cannot do a telnet.
He will be restrted to his home directory only.
You can restrict the commands used by him.
He can upload / download to /from only alloed directories,

Take a look at the thread below on how to setup ftpaccess,

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=4df5f3351cb3447b6b/screen=ckiDisplayDocument?docId=200000055935266

Also do a "man ftpaccess" for more details on the various options and how they can help you in configuring the ftpaccess.

Hope this helps.

Regds
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.