HPE Community
Operating System - HP-UX
1834462 Members
2380 Online
110067 Solutions
New Discussion

Re: FTP password via ldap

 
Romana
Occasional Advisor

‎04-18-2007 09:38 PM

‎04-18-2007 09:38 PM

FTP password via ldap

Hi,
is it possible to get on an hpux 11.x system only the password information for an ftp-user from AD (ldap/pam)? I am running ldap and the ftp is working find for all ldap-Users listed in my AD and all users in the local /etc/passwd by trying some changes in /etc/pam.conf. For security i want only to allow users listet in /etc/passwd, but the password comes from the password-Server (AD). What is the correct entry in pam.conf for this, even if it is possible.

Thanks for help
reagrds
Romana

0 Kudos
Reply
6 REPLIES 6
Sundar_7
Honored Contributor

‎04-19-2007 01:50 AM

‎04-19-2007 01:50 AM

Re: FTP password via ldap

Romana,

You can achieve this by customizing the /etc/ftpd/ftpaccess file.

man ftpaccess for more details.

Sundar.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Romana
Occasional Advisor

‎04-19-2007 07:07 PM

‎04-19-2007 07:07 PM

Re: FTP password via ldap

Hi Sundar,
i use ftpaccess and i searched the man page again, but i can't find any hint how to implement my "special wish". Could you please give me an advice?

Romana
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎05-21-2007 05:57 AM

‎05-21-2007 05:57 AM

Re: FTP password via ldap

If you are using Pam Kerberos for authentication don't allow pam_krb5 for the ftp service:

# grep ^ftp pam.conf
ftp auth required libpam_unix.1
ftp account required libpam_unix.1

But continue to use Pam Kerberos for login/ssh:

# grep ^ssh pam.conf
sshd auth sufficient libpam_krb5.1
sshd auth required libpam_unix.1
sshd account sufficient libpam_krb5.1
sshd account required libpam_unix.1
sshd session sufficient libpam_krb5.1
sshd session required libpam_unix.1
sshd password sufficient libpam_krb5.1
sshd password required libpam_unix.1

While this will prevent AD users from FTP'ing into this system, they will be able to login (telnet/rlogin/ssh) and then FTP out of the system. So unless you have a way to restrict outbound FTP connections you really haven't done much to increase the security of the system, of course disabling FTP/Telnet/rlogin all together would be my recomendation :)
0 Kudos
Reply
Romana
Occasional Advisor

‎05-22-2007 09:22 PM

‎05-22-2007 09:22 PM

Re: FTP password via ldap

Hi,
actually i did it this way, but it is not, what i really want. So, all my incoming ftp-usere have to be listed in /etc/passwd. Several ldap-Users also have to ftp onto my HP-UX box, but i did not know their password to create an full entry in /etc/passwd. Only the password should be verified via AD/ldap and the rest(ftp HOME-Path)from /etc/passwd.
But i don't know how to do this.
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎05-23-2007 02:30 AM

‎05-23-2007 02:30 AM

Re: FTP password via ldap

If I understand correctly you want to have your user attributes (home directory, uidnumber, loginshell, etc.) defined in the local /etc/passwd file, but you want all authentication done against AD?

If this is the case then don't use ldap-ux at all (remove the ldap entrys from /etc/nsswitch.conf). Define all of your users in the local /etc/passwd file with no password. Then configure PAM Kerberos for authentication. Of course the user name in /etc/passwd must match the user name in AD.
0 Kudos
Reply
Heironimus
Honored Contributor

‎05-23-2007 02:31 AM

‎05-23-2007 02:31 AM

Re: FTP password via ldap

I think you should be able to configure pam_ldap but leave nsswitch.conf set to just use files. User account information comes from the sources you list in nsswitch, authentication comes from what you configure in PAM. But I've never tried that kind of configuration on HP-UX.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.