- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- How create user with only FTP access
Operating System - HP-UX
1822895
Members
3796
Online
109645
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 02:25 AM
тАО07-13-2003 02:25 AM
How create user with only FTP access
Dear All,
Hi ,
I would like to create a user with only FTP privilege, so he can not use any application like telnet or any thing else.
I would prefer to create a group called FTP with this privilege but acctually i do not know how to do it?
Kind Regards
Hi ,
I would like to create a user with only FTP privilege, so he can not use any application like telnet or any thing else.
I would prefer to create a group called FTP with this privilege but acctually i do not know how to do it?
Kind Regards
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 03:20 AM
тАО07-13-2003 03:20 AM
Re: How create user with only FTP access
Take a look at the whitepaper from HP:
Setting up restricted user accounts with FTP DocId: KBRC00008355 Updated: 10/30/01 12:24:00 PM
PROBLEM
How can I restric certian users to one directory though ftp?RESOLUTION
The new version of FTP is supplied to HP-UX 11.00 through patch PHNE_14479
and this must be installed on your system. Please check the release notes
provided at /usr/share/doc/RelNotes_newftp.txt for further information on
the enhancements provided by this FTP revision.
There are three kinds of logins provided wu-ftp;
* anonymous FTP
* real FTP
* guest FTP
The focus of this document is how to setup a 'guest' ftp account to get
around the sublogin problems encountered with HP-UX 11.00.
Guest accounts require explicit user entries in the system /etc/passwd
file but performs a chroot to a designated directory, thus maintaining
integrity.
Steps to be followed;
1. Make the edits to the /etc/passwd file
ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false
^^^
- '.' Is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp ftpguest was used as the account name in this example but you
could use any name you like.
2. /usr/bin/false will have to be added to the /etc/shells file.
See man(4) shells for further details
3. Make the edits to the /etc/group file
ftpgroup::125:ftpguest
- Create and set the permissions and ownership for the directory
(/home/ftp/ftpguest) to what suits you best.
4.
Add an entry into the ftpaccess file. This file will most probably have to
be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.
Add a guestgroup entry (in the /etc/ftpd/ftpaccess file) to allow a group
of users to be treated as 'guests'. This entry will correspond to the entry
in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.
# specify which group of users will be treated as "guests".
guestgroup ftpgroup
5. Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to
use the ftpaccess file. Here is an example;
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a
You will need to reconfigure inetd by running /usr/sbin/inetd -c to
reread the /etc/inetd.conf file after making the change.
6. Since this is similar to anonymous FTP in the respect that you are in a
chrooted area (the path to / is different than on your system) you will
also have to replicate the /usr/bin and /etc directories. The easiest way
to do this is to use SAM to create an anonymous FTP setup and then replicate
the /etc & /usr/bin directories into your ftp guest root directory. Here
is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory
to your new ftp guest directory. We use the ftpguest user in this example.
cp -R ~ftp/usr ~ftpguest/usr
cp -R ~ftp/etc ~ftpguest/etc
At this point you should have the files and programs needed for your
ftpguest user.
** This is dependent upon where the '.' delimiter has been positioned. If
the delimiter is positioned prior to the ftp username then only the root
directory (/home/ftp) needs to contain a /usr & /etc directory structure.
If the delimiter is placed post the username then each individual user
will require this directory structure.
** NOTE: When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.
7. Another thing I noticed is that you must touch the file /etc/ftpd/ftpgroups.
If you do not, you will see messages in syslog.log indicating that ftpd could
not stat this file.
Setting up restricted user accounts with FTP DocId: KBRC00008355 Updated: 10/30/01 12:24:00 PM
PROBLEM
How can I restric certian users to one directory though ftp?RESOLUTION
The new version of FTP is supplied to HP-UX 11.00 through patch PHNE_14479
and this must be installed on your system. Please check the release notes
provided at /usr/share/doc/RelNotes_newftp.txt for further information on
the enhancements provided by this FTP revision.
There are three kinds of logins provided wu-ftp;
* anonymous FTP
* real FTP
* guest FTP
The focus of this document is how to setup a 'guest' ftp account to get
around the sublogin problems encountered with HP-UX 11.00.
Guest accounts require explicit user entries in the system /etc/passwd
file but performs a chroot to a designated directory, thus maintaining
integrity.
Steps to be followed;
1. Make the edits to the /etc/passwd file
ftpguest:4rL2HZkDatENY:505:125::/home/ftp/ftpguest/./:/usr/bin/false
^^^
- '.' Is the delimiter to determine where the chroot will be performed. In
this example, after logging in '/' will in effect be /home/ftp/ftpguest.
If the delimiter was placed between ftp and ftpguest then '/' would be
/home/ftp ftpguest was used as the account name in this example but you
could use any name you like.
2. /usr/bin/false will have to be added to the /etc/shells file.
See man(4) shells for further details
3. Make the edits to the /etc/group file
ftpgroup::125:ftpguest
- Create and set the permissions and ownership for the directory
(/home/ftp/ftpguest) to what suits you best.
4.
Add an entry into the ftpaccess file. This file will most probably have to
be copied from the /usr/newconfig/etc/ftpd/ftpaccess to /etc/ftpd/ftpaccess.
Add a guestgroup entry (in the /etc/ftpd/ftpaccess file) to allow a group
of users to be treated as 'guests'. This entry will correspond to the entry
in the /etc/group file. Here is a sample of the ftpaccess file to use guest
groups.
# specify which group of users will be treated as "guests".
guestgroup ftpgroup
5. Edit the /etc/inetd.conf file and add the '-a' option to enable ftpd to
use the ftpaccess file. Here is an example;
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a
You will need to reconfigure inetd by running /usr/sbin/inetd -c to
reread the /etc/inetd.conf file after making the change.
6. Since this is similar to anonymous FTP in the respect that you are in a
chrooted area (the path to / is different than on your system) you will
also have to replicate the /usr/bin and /etc directories. The easiest way
to do this is to use SAM to create an anonymous FTP setup and then replicate
the /etc & /usr/bin directories into your ftp guest root directory. Here
is an example of how you would replicate the ~ftp/usr and ~ftp/etc directory
to your new ftp guest directory. We use the ftpguest user in this example.
cp -R ~ftp/usr ~ftpguest/usr
cp -R ~ftp/etc ~ftpguest/etc
At this point you should have the files and programs needed for your
ftpguest user.
** This is dependent upon where the '.' delimiter has been positioned. If
the delimiter is positioned prior to the ftp username then only the root
directory (/home/ftp) needs to contain a /usr & /etc directory structure.
If the delimiter is placed post the username then each individual user
will require this directory structure.
** NOTE: When providing the 'ls' command, use /sbin/ls, not /usr/bin/ls.
7. Another thing I noticed is that you must touch the file /etc/ftpd/ftpgroups.
If you do not, you will see messages in syslog.log indicating that ftpd could
not stat this file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 03:50 AM
тАО07-13-2003 03:50 AM
Re: How create user with only FTP access
hi
this is what we do for ftp only users.
1. create a new user with /usr/bin/passwd as the shell.
2. add /usr/bin/passwd to /etc/shells. ftpd checks this.
3. when the user wants to change his password, he telnets to the system. the system prompts for old password and once he sets the new password the shell exits.
hth
-balaji
this is what we do for ftp only users.
1. create a new user with /usr/bin/passwd as the shell.
2. add /usr/bin/passwd to /etc/shells. ftpd checks this.
3. when the user wants to change his password, he telnets to the system. the system prompts for old password and once he sets the new password the shell exits.
hth
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 04:25 AM
тАО07-13-2003 04:25 AM
Re: How create user with only FTP access
man ftpusers , ftpaccess
also nice feature is to create /bin/noshells
put inside a line like:
echo "Sorry,not a login shell!\n"
exit 0
And use it in /etc/passwd.
Again,this user would be able to use rexec,
which I'd rather disable at all in /etc/inetd.conf.
also nice feature is to create /bin/noshells
put inside a line like:
echo "Sorry,not a login shell!\n"
exit 0
And use it in /etc/passwd.
Again,this user would be able to use rexec,
which I'd rather disable at all in /etc/inetd.conf.
So computers don't think yet. At least not chess computers. - Seymour Cray
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 04:30 AM
тАО07-13-2003 04:30 AM
Re: How create user with only FTP access
I think the too suggestions above are great. I'd like to add two cents of refinement.
By setting the shell at creattion time to the ftp shells or the rsh shell, it is possible to set up a user that can only do ftp and telnet, the two least secure protocols I can think of(passwords across the public Internet in Clear text....eeeekers).
Setting up a system whereby passwords are maintained with a system that transmits these password across the internet in clear text is insecure.
Thy PuTTY program is free and nicely handles ssh(Secure Shell) connections in a windows environment. If you are just starting off, you should consider installing Secure Shell 3.50 in your HP-UX box and at least require the password change process to occur in an encrypted environment.
Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA
Better still would be learning the basics of setting up a secure passord maintenance environment that is integrated with the Apache web server.
User password maintenance can then be done with ssl in an encrypted way.
This search contains interesting information with regards to the web server portion of the question.
http://us-support.external.hp.com/emse/bin/doc.pl/sid=729c1abe0c2f430ce8?todo=search&searchtext=ssl++htaccess+apache&x=20&y=2&searchtype=SEARCH_TECH_DOCS&searchtype=SEARCH_MANUAL&searchtype=SEARCH_FORUMS&searchcategory=ALL&rn=25&presort=rank
As does this paper book:
Practical Unix & Internet Security
Garfinkel & Spafford
Its handed out as part of HP's Practical Network Security Course, which I highly recommend.
SEP
By setting the shell at creattion time to the ftp shells or the rsh shell, it is possible to set up a user that can only do ftp and telnet, the two least secure protocols I can think of(passwords across the public Internet in Clear text....eeeekers).
Setting up a system whereby passwords are maintained with a system that transmits these password across the internet in clear text is insecure.
Thy PuTTY program is free and nicely handles ssh(Secure Shell) connections in a windows environment. If you are just starting off, you should consider installing Secure Shell 3.50 in your HP-UX box and at least require the password change process to occur in an encrypted environment.
Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA
Better still would be learning the basics of setting up a secure passord maintenance environment that is integrated with the Apache web server.
User password maintenance can then be done with ssl in an encrypted way.
This search contains interesting information with regards to the web server portion of the question.
http://us-support.external.hp.com/emse/bin/doc.pl/sid=729c1abe0c2f430ce8?todo=search&searchtext=ssl++htaccess+apache&x=20&y=2&searchtype=SEARCH_TECH_DOCS&searchtype=SEARCH_MANUAL&searchtype=SEARCH_FORUMS&searchcategory=ALL&rn=25&presort=rank
As does this paper book:
Practical Unix & Internet Security
Garfinkel & Spafford
Its handed out as part of HP's Practical Network Security Course, which I highly recommend.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 12:07 PM
тАО07-13-2003 12:07 PM
Re: How create user with only FTP access
Hello!
Use the chroot that will execute the ftp in the
end.
Made the user home dir with the ftp and
the files that needed like /etc/services
that will have only port for ftp
When user will log in he will automaticly enter
to ftp.
Caesar
Use the chroot that will execute the ftp in the
end.
Made the user home dir with the ftp and
the files that needed like /etc/services
that will have only port for ftp
When user will log in he will automaticly enter
to ftp.
Caesar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2003 06:32 PM
тАО07-13-2003 06:32 PM
Re: How create user with only FTP access
Hi,
Create a new user usr01.
Modify the user's default shell to /usr/bin/false in /etc/passwd , last field.
Make a file "/etc/shells" , keep these entries:
/usr/bin/false
/sbin/sh
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
Then the user can't use telnet but can su.
-ux
Create a new user usr01.
Modify the user's default shell to /usr/bin/false in /etc/passwd , last field.
Make a file "/etc/shells" , keep these entries:
/usr/bin/false
/sbin/sh
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
Then the user can't use telnet but can su.
-ux
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP