Get documents about "Anonymous-FTP-with-a-secure-user
Shared by: ashrafp
-
Stats
- views:
- 10
- posted:
- 7/26/2011
- language:
- English
- pages:
- 7
Document Sample
Anonymous FTP with a secure user account setup
You can set up anonymous FTP with a secure user account.
Things to Consider
The information in this how-to was tested using AIX® 5.3. If you are using a
different version or level of AIX, the results you obtain might vary significantly.
This scenario sets up an anonymous FTP with a secure user account, using the
command line interface and a script.
Note: This scenario cannot be used on a system with the Controlled Access
Protection Profile (CAPP) with Evaluation Assurance Level 4+ (EAL4+) feature.
1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing
the following command:
lslpp -L | grep bos.net.tcp.client
If you receive no output, the fileset is not installed. For instructions on how to
install it, see the Installation and migration.
2. Verify that you have at least 8 MB of free space available in the system's
/home directory, by typing the following command:
df -k /home
The script in step 4 requires at least 8 MB free space in the /home directory to
install the required files and directories. If you need to increase the amount of
available space, see the Operating system and device management.
3. With root authority, change to the /usr/samples/tcpip directory. For example:
cd /usr/samples/tcpip
4. To set up the account, run the following script:
./anon.ftp
5. When prompted with Are you sure you want to modify /home/ftp?, type
yes. Output similar to the following displays:
6. Added user anonymous.
7. Made /home/ftp/bin directory.
8. Made /home/ftp/etc directory.
9. Made /home/ftp/pub directory.
10. Made /home/ftp/lib directory.
11. Made /home/ftp/dev/null entry.
Made /home/ftp/usr/lpp/msg/en_US directory.
12. Change to the /home/ftp directory. For example:
cd /home/ftp
13. Create a home subdirectory, by typing:
mkdir home
14. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by
typing:
chmod 755 home
15. Change to the /home/ftp/etc directory, by typing:
cd /home/ftp/etc
16. Create the objrepos subdirectory, by typing:
mkdir objrepos
17. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-
x, by typing:
chmod 775 objrepos
18. Change the owner and group of the /home/ftp/etc/objrepos directory to the
root user and the system group, by typing:
chown root:system objrepos
19. Create a security subdirectory, by typing
mkdir security
20. Change the permissions of the /home/ftp/etc/security directory to drwxr-x--
-, by typing:
chmod 750 security
21. Change the owner and group of the /home/ftp/etc/security directory to the
root user and the security group, by typing:
chown root:security security
22. Change to the /home/ftp/etc/security directory, by typing:
cd security
23. Add a user by typing the following SMIT fast path:
smit mkuser
In this scenario, we are adding a user named test.
24. In the SMIT fields, enter the following values:
25. User NAME
[test]
26. ADMINISTRATIVE USER? true
27. Primary GROUP
[staff]
28. Group SET
[staff]
29. Another user can SU TO USER? true
HOME directory [/home/test]
After you enter your changes, press Enter to create the user. After the SMIT
process completes, exit SMIT.
30. Create a password for this user with the following command:
passwd test
When prompted, enter the desired password. You must enter the new password
a second time for confirmation.
31. Change to the /home/ftp/etc directory, by typing
cd /home/ftp/etc
32. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the
following command:
cp /etc/passwd /home/ftp/etc/passwd
33. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example:
vi passwd
34. Remove all lines from the copied content except those for the root, ftp, and
test users. After your edit, the content should look similar to the following:
35. root:!:0:0::/:/bin/ksh
36. ftp:*:226:1::/home/ftp:/usr/bin/ksh
test:!:228:1::/home/test:/usr/bin/ksh
37. Save your changes and exit the editor.
38. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by
typing:
chmod 644 passwd
39. Change the owner and group of the /home/ftp/etc/passwd file to the root user
and the security group, by typing:
chown root:security passwd
40. Copy the contents of the /etc/security/passwd file to the
/home/ftp/etc/security/passwd file, using the following command:
cp /etc/security/passwd /home/ftp/etc/security/passwd
41. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For
example:
vi ./security/passwd
42. Remove all stanzas from the copied content except the stanza for the test
user.
43. Remove the flags = ADMCHG line from the test user stanza. After your edits,
the content should look similar to the following:
44. test:
45. password = 2HaAYgpDZX3Tw
lastupdate = 990633278
46. Save your changes and exit the editor.
47. Change the permissions of the /home/ftp/etc/security/passwd file to -rw----
---, by typing:
chmod 600 ./security/passwd
48. Change the owner and group of the /home/ftp/etc/security/passwd file to the
root user and the security group, by typing:
chown root:security ./security/passwd
49. Using your favorite editor, edit the /home/ftp/etc/group file. For example:
vi group
50. Add the following lines to the file:
51. system:*:0:
staff:*:1:test
52. Save your changes and exit the editor.
53. Change the permissions of the /home/ftp/etc/group file to -rw-r--r-–, by
typing:
chmod 644 group
54. Change the owner and group of the /home/ftp/etc/group file to the root user
and the security group, by typing:
chown root:security group
55. Using your favorite editor, edit the /home/ftp/etc/security/group file. For
example:
vi ./security/group
56. Add the following lines to the file:
57. system:
58. admin = true
59. staff
admin = false
60. Save your changes and exit the editor. To do this, perform the following
steps:
a. Copy the /etc/security/user file to the /home/ftp/etc/security
directory, by typing:
b. cp /etc/security/user /home/ftp/etc/security
cd /home/ftp/etc/
c. Remove all stanzas from the copied content, except the stanza for the
test user, using the editor by typing:
vi user
d. Save and exit the editor.
61. Change the permissions of the /home/ftp/etc/security/group file to -rw-r----
-, by typing:
chmod 640 ./security/group
62. Change the owner and group of the /home/ftp/etc/security/group file to the
root user and the security, by typing:
chown root:security ./security/group
63. Use the following commands to copy the appropriate content into the
/home/ftp/etc/objrepos directory:
64. cp /etc/objrepos/CuAt ./objrepos
65. cp /etc/objrepos/CuAt.vc ./objrepos
66. cp /etc/objrepos/CuDep ./objrepos
67. cp /etc/objrepos/CuDv ./objrepos
68. cp /etc/objrepos/CuDvDr ./objrepos
69. cp /etc/objrepos/CuVPD ./objrepos
cp /etc/objrepos/Pd* ./objrepos
70. Change to the /home/ftp/home directory, by typing:
cd ../home
71. Make a new home directory for your user, by typing:
mkdir test
This will be the home directory for the new ftp user.
72. Change the owner and group of the /home/ftp/home/test directory to the
test user and the staff group, by typing:
chown test:staff test
73. Change the permissions of the /home/ftp/home/test file to -rwx------, by
typing:
chmod 700 test
74. Disable the remote login and the console login for the test user, by typing:
chuser login=false rlogin=false test
At this point, you have ftp sublogin set up on your machine. You can test this with
the following procedure:
1. Using ftp, connect to the host on which you created the test user. For
example:
ftp MyHost
2. Log in as anonymous. When prompted for a password, press Enter.
3. Switch to the newly created test user, by using the following command:
user test
When prompted for a password, use the password you created in step 19
4. Use the pwd command to verify the user's home directory exists. For
example:
5. ftp> pwd
/home/test
The output shows /home/test as an ftp subdirectory. The full path name on the
host is actually /home/ftp/home/test.
Notes:
You can switch users only with ftp sub users. For example, test is an ftp sub
user.
When you create ftp anonymous users, with the script anon.users.ftp, you
can assign the user any name by replacing username in the script.
For anonymous users, because the server performs the chroot command in
the home directory of the user account, any configuration-related file, such as
fileftpaccess.ctl, should be in the home directory, such as ~/etc/, of the
respective anonymous user. 'Writeonly,' 'readonly,' and 'readwrite,' restrictions
in the /etc/ftpaccess.ctl file must have a path relative to the chrooted path.
For more information:
"TCP/IP Security" in Security
"ftp Command" in AIX 5L™ Version 5.3 Commands Reference
Parent topic: Users, roles, and passwords
[ Feedback ]
