HPE Community
Operating System - HP-UX
1836219 Members
4509 Online
110096 Solutions
New Discussion

Re: ftp-acces

 
Pieter_5
Advisor

‎09-11-2003 11:29 PM

‎09-11-2003 11:29 PM

ftp-acces

Hi,

I would like to give a testuser access to my hp-box. I created a user, but this user has access to the entire machine. I would like to disable telnet for this specific user and I want this user only to be able to ftp to this directory.
0 Kudos
Reply
8 REPLIES 8
Stefan Farrelly
Honored Contributor

‎09-11-2003 11:35 PM

‎09-11-2003 11:35 PM

Re: ftp-acces

HP's ftp doesnt allow you to restrict navigation around the box. You need to replace it with a different ftp which can do this;

WU-FTP or ProFTPd;

WU-FTP
ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/wu-ftpd-2.4.tar.gz
http://www.landfield.com/wu-ftpd/
ProFTPd http://www.proftpd.org

As for disabling telnet for this user there are 2 ways;

1. /var/adm/inetd.sec which allows you to disable telnet by an IP address - the one the user uses, but if the user has access to >1 machine then;
2. an entry in the users .profile to check for telnet login, then exit.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Stanimir
Trusted Contributor

‎09-11-2003 11:37 PM

‎09-11-2003 11:37 PM

Re: ftp-acces

Hi!
The best way to do this is
SAM: Internet Services, Internet security;

Anyway the files,connected with security
of FTP and Telnet are:
/etc/services
/etc/inetd.conf
/etc/ftpusers
and indeed: /etc/passwd

Good luck!
0 Kudos
Reply
H.Merijn Brand (procura
Honored Contributor

‎09-12-2003 12:13 AM

‎09-12-2003 12:13 AM

Re: ftp-acces

What platform is he/she coming from? If he/she is from a windoze box, you can create very secure and separated workspaces with samba (CiFS server) and not wory about ftp.

From 11.00 on, CiFS server is free, and available on the Application CD's. New machines probably even ship with CiFS already installed.

5012-7834 11.00 Appl CD 06-2003 4/4
5012-7838 11.11 Appl CD 06-2003 4/4

Enjoy, have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
0 Kudos
Reply
Mike Ingram
Occasional Advisor

‎09-12-2003 12:39 AM

‎09-12-2003 12:39 AM

Re: ftp-acces

There is a file /var/adm/inetd.sec, in which you can specify the IP address of a machine that can or cannot have telnet and/or ftp access tp the host.
There are syntax examples in the file, and I find this works well.
Don't be shy to ask if you don't know the answer
0 Kudos
Reply
George E. Holland_1
Occasional Advisor

‎09-12-2003 09:29 PM

‎09-12-2003 09:29 PM

Re: ftp-acces

You mite try TFTP as this can be locked to a folder and below but not above.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-13-2003 06:03 PM

‎09-13-2003 06:03 PM

Re: ftp-acces

If you are running 11.0 or later, WU-FTPD was added several years ago. For 10.20, you'll need to get a copy from: http://hpux.connect.org.uk/

Search for wu_ftpd.

However, if all you need is ftp and need to disable shell access (ie, telnet), just change the user's shell from /usr/bin/sh to /usr/bin/false. While they will get a login prompt, it will exit immediately. And make sure you add (or edit the existing) /etc/shells with:

/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/rksh
/usr/bin/false

(and any other shell that you may have assigned to users) ftpd requires that a user's shell appear in /etc/shells (man getusershell). Otherwise, ftpd will not allow the user to login.


Bill Hassell, sysadmin
0 Kudos
Reply
Chuck Sims
Advisor

‎09-16-2003 05:56 PM

‎09-16-2003 05:56 PM

Re: ftp-acces

Aloha Andre,

An easy way to limit login via telnet is to change the user's shell to /usr/bin/false. They can still FTP, but get kicked out when they try to telnet.

Chuck
"I feel like I'm diagonally parked in a parallel universe."
0 Kudos
Reply
Sundar_7
Honored Contributor

‎09-16-2003 10:08 PM

‎09-16-2003 10:08 PM

Re: ftp-acces

Hi,

It is possible to restrict the user to his homedirectory (chroot) if you are running 11.X


# groupadd -g 55 ftponly
# useradd -d /home/ftponly -s /usr/bin/notelnet -g 55 -m ftponly
# echo "exit 0" >> /usr/bin/notelnet
# chmod +x /usr/bin/telnet
# mkdir -p ~ftponly/usr/bin
# cp /sbin/ls ~ftponly/usr/bin
# echo "/usr/bin/notelnet" >> /etc/shells
# cd /etc/ftpd
# cp /usr/newconfig/etc/ftpd/ftpaccess .
# vi ftpaccess
..
guestgroup ftponly.
..
#
# chown -R bin:bin ~ftponly
# chmod -R 755 ~ftponly
# vi /etc/inetd.conf
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

# inetd -c

Let me know if this helps

Sundar






Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.