HPE Community
Operating System - HP-UX
1835969 Members
1656 Online
110088 Solutions
New Discussion

Re: FTP Services & Restriction

 
SOLVED
Go to solution
Amit Dixit_2
Regular Advisor

‎08-18-2004 04:09 AM

‎08-18-2004 04:09 AM

FTP Services & Restriction

Hi,
I have configured a user account on my server
running HP-UX 11.23

I want to use this account as ftp account
and the users who login to this account
cannot telnet and if they login through ftp
cannot change directory.

Thanks,
Amit
0 Kudos
Reply
9 REPLIES 9
Rick Garland
Honored Contributor

‎08-18-2004 04:20 AM

‎08-18-2004 04:20 AM

Re: FTP Services & Restriction

Sounds like you want something that functions as "chroot" Using this utility you can setup a "jail" so the ftp user cannot go directories above - in fact, to the ftp user this would look like the / directory, so there is no where to go but down. (The ftp user can descend into directories that have been created.)

To prevent the telnet, change the shell type in the passwd file.

Look up chroot. Sounds like what you want.
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-18-2004 04:21 AM

‎08-18-2004 04:21 AM

Solution

Re: FTP Services & Restriction

1) vi /etc/inetd.conf
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a
#

add -a option to the ftpd

# inetd -c

Force inetd to reread the configuration

2) groupadd -g ftpgroup

Add a group called ftpgroup

3) useradd -g ftpgroup -m -s /usr/bin/false ftpuser

Create a user called ftpuser with /usr/bin/false as the shell

# passwd ftpuser

4) vi /etc/shells
/usr/bin/false

add the shell to /etc/shells

5) # vi /etc/ftpd/ftpaccess
guestgroup ftpgroup
#

Edit ftpaccess and define the guestgroup as ftp

6) # cd ~ftpuser
# mkdir -p etc usr/bin
# cp -p /etc/group etc/
# cp -p /etc/passwd etc/
# cp /sbin/ls usr/bin

Try telnet and ftp now as ftpuser.
Learn What to do ,How to do and more importantly When to do ?
Reply
Rgomes
Valued Contributor

‎08-18-2004 04:23 AM

‎08-18-2004 04:23 AM

Re: FTP Services & Restriction

Solution:

Use this procedure to configure the new ftpd:

Note: A user will not have the ability to travel anywhere outside
of his home directory on the system. Setting up a bogus
shell with exit 0 as the contents will cause the connection
of a user to be immediately terminated if the user attempts
to telnet into the system.

1. Configure the ftpaccess file:

a. cd /etc/ftpd
b. cp -p /usr/newconfig/etc/ftpd/ftpaccess .
c. vi ftpaccess. At the bottom of the file there is a guestgroup
directive 'guestgroup ftponly'.
i. Either change that group designation to one you already
have or keep that designation.
ii. If you are keeping the ftponly group, then create that
group on your system.


2. Modify the /etc/inetd.conf file to enable the use of the ftpaccess
file:

a. vi /etc/inetd.conf
b. Add the -a flag to the ftp daemon.
c. ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l

4. Make inetd re-read its configuration:

inetd -c

5. Create a bogus shell for users that will only have FTP access to
the system:

a. vi /usr/bin/ftpshell
b. exit 0
c. chmod 555 /usr/bin/ftpshell
d. chown bin:bin /usr/bin/ftpshell

6. Create an /etc/shells file:

a. vi /etc/shells
b. Include these lines in the file:
/sbin/sh
/usr/bin/ksh
/usr/bin/sh
/usr/bin/csh
/usr/bin/rsh
/usr/bin/rksh
/usr/bin/keysh
/bin/sh
/bin/ksh
/bin/csh
/bin/rsh
/bin/rksh
/usr/bin/ftpshell

7. Now add a user to the system. Use a group that is 'ftponly' and
make the user's shell /usr/bin/ftpshell.
8. Use SAM to limit the user to his home directory by setting up the
directory in this form:
/home/username/./

Note: The /./ is the important key here. When the ftpd verifies a
user's login, it checks and sees that the user is a member of
the 'guestgroup' ftponly. It then examines the home directory
and, if it sees a /./ in the path, it will then perform a chroot
to that directory. Therefore, when that user FTPs into the
system, their home directory will appear as the / directory.

9. Provide the user with an ls command:

a. cd /home/username
b. mkdir usr
c. mkdir usr/bin
d. cp -p /sbin/ls usr/bin
e. chown -R bin:bin usr
f. chmod -R 555 usr

ref: Document id# BC0814KBRC00007719

regards,
Richard
Reply
Sundar_7
Honored Contributor

‎08-18-2004 04:25 AM

‎08-18-2004 04:25 AM

Re: FTP Services & Restriction

Once you create the directories etc usr/bin under the user's home directory, you also need to change the permissions such that the user is able to navigate/have read-only access to passwd,group and ls files.
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎08-18-2004 04:28 AM

‎08-18-2004 04:28 AM

Re: FTP Services & Restriction

From your description of having multiple users login to a single ftp-only account, it actually sounds like the built-in anonymous ftp facility in ftpd would suffice. Make the user account name ftp... if they should be able to write files to the server set the write bit on the home directory defined (not generally a good idea, but kept to a non-critical file system can work... only serious problem then is users potentially overwriting/deleting each other's files). You can keep the account disabled/locked to disallow telnet access. Users login the ftp session as user ftp or anonymous and they are unable to cd anywhere else on the system. Check out the ftpd man page for setting it up.
--
Jeff Traigle
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎08-18-2004 04:31 AM

‎08-18-2004 04:31 AM

Re: FTP Services & Restriction

And I should mention... the anonymous ftp route doesn't provide an audit trail of who was connecting to the system... of course, if you have one accoutn with all of the fancy configurations the others have mentioned that multiple people share, you're not getting any useful authentication information anyway. Just something to consider in your implementation whichever way you go.
--
Jeff Traigle
0 Kudos
Reply
Amit Dixit_2
Regular Advisor

‎08-18-2004 05:36 PM

‎08-18-2004 05:36 PM

Re: FTP Services & Restriction

Hi Sundar,
I have configured ftp using your method
and now I am not able to connect
to server using ftp.

None of the account is working ??

what should I do ?

Thanks,
Amit
0 Kudos
Reply
Ermin Borovac
Honored Contributor

‎08-18-2004 07:10 PM

‎08-18-2004 07:10 PM

Re: FTP Services & Restriction

Do you have the following line in /etc/ftpd/ftpaccess?

class remote real,guest,anonymous *

Without a valid class all access to ftp server will be denied.

real -> for users having real accounts
guest -> for guest users defined with guestgroup
anonymous -> for anonymous access
0 Kudos
Reply
Rgomes
Valued Contributor

‎08-18-2004 09:27 PM

‎08-18-2004 09:27 PM

Re: FTP Services & Restriction

Also check /var/adm/inetd.sec file.
Permit ftp by IP addresses.

It should look like this:
------
ftp permit 192.168.3.2 192.168.3.110
------
regards,
Richard
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.