[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

Set Up Anonymous FTP with a Secure User Account

This scenario sets up an anonymous ftp with a secure user account, using the command line interface and a script.

Note
This scenario cannot be used on a system with the Controlled Access Protection Profile (CAPP) with Evaluation Assurance Level 4+ (EAL4+) feature.
  1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing the following command: 
    lslpp -L | grep bos.net.tcp.client
    If you receive no output, the fileset is not installed. For instructions on how to install it, see the AIX 5L Version 5.2 Installation Guide and Reference.
  2. Verify that you have at least 8 MB of free space available in the system's /home directory, by typing the following command: 
    df -k /home
    The script in step 4 requires at least 8 MB free space in the /home directory to install the required files and directories. If you need to increase the amount of available space, see the AIX 5L Version 5.2 System Management Guide: Operating System and Devices.
  3. With root authority, change to the /usr/samples/tcpip directory. For example: 
    cd /usr/samples/tcpip
  4. To set up the account, run the following script: 
    ./anon.ftp
  5. When prompted with Are you sure you want to modify /home/ftp?, type yes. Output similar to the following displays: 
    Added user anonymous.                          
Made /home/ftp/bin directory.                  
Made /home/ftp/etc directory.                  
Made /home/ftp/pub directory.                  
Made /home/ftp/lib directory.                  
Made /home/ftp/dev/null entry.                 
Made /home/ftp/usr/lpp/msg/en_US directory.
  6. Change to the /home/ftp directory. For example: 
    cd /home/ftp
  7. Create a home subdirectory, by typing: 
    mkdir home
  8. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by typing: 
    chmod 755 home
  9. Change to the /home/ftp/etc directory, by typing: 
    cd /home/ftp/etc
  10. Create the objrepos subdirectory, by typing: 
    mkdir objrepos
  11. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-x, by typing: 
    chmod 775 objrepos
  12. Change the owner and group of the /home/ftp/etc/objrepos directory to the root user and the system group, by typing: 
    chown root:system objrepos
  13. Create a security subdirectory, by typing: 
    mkdir security
  14. Change the permissions of the /home/ftp/etc/security directory to drwxr-x---, by typing: 
    chmod 750 security
  15. Change the owner and group of the /home/ftp/etc/security directory to the root user and the security group, by typing: 
    chown root:security security
  16. Change to the /home/ftp/etc/security directory, by typing: 
    cd security
  17. Add a user by typing the following SMIT fast path: 
    smit mkuser
    In this scenario, we are adding a user named test.
  18. In the SMIT fields, enter the following values: 
    User NAME                                          [test]       
ADMINISTRATIVE USER?                                true       
Primary GROUP                                      [staff]           
Group SET                                          [staff]           
Another user can SU TO USER?                        true        
HOME directory                                     [/home/test]
    After you enter your changes, press Enter to create the user. After the SMIT process completes, exit SMIT.
  19. Create a password for this user with the following command: 
    passwd test
    When prompted, enter the desired password. You must enter the new password a second time for confirmation.
  20. Change to the /home/ftp/etc directory, by typing: 
    cd /home/ftp/etc
  21. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the following command: 
    cp /etc/passwd /home/ftp/etc/passwd
  22. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example: 
    vi passwd
  23. Remove all lines from the copied content except those for the root, ftp, and test users. After your edit, the content should look similar to the following: 
    root:!:0:0::/:/bin/ksh    
ftp:*:226:1::/home/ftp:/usr/bin/ksh 
test:!:228:1::/home/test:/usr/bin/ksh
  24. Save your changes and exit the editor.
  25. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by typing: 
    chmod 644 passwd
  26. Change the owner and group of the /home/ftp/etc/passwd file to the root user and the security group, by typing: 
    chown root:security passwd
  27. Copy the contents of the /etc/security/passwd file to the /home/ftp/etc/security/passwd file, using the following command: 
    cp /etc/security/passwd /home/ftp/etc/security/passwd
  28. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For example: 
    vi ./security/passwd
  29. Remove all stanzas from the copied content except the stanza for the test user.
  30. Remove the flags = ADMCHG line from the test user stanza. After your edits, the content should look similar to the following: 
    test:                        
        password = 2HaAYgpDZX3Tw
        lastupdate = 990633278
  31. Save your changes and exit the editor.
  32. Change the permissions of the /home/ftp/etc/security/passwd file to -rw-------, by typing: 
    chmod 600 ./security/passwd
  33. Change the owner and group of the /home/ftp/etc/security/passwd file to the root user and the security group, by typing: 
    chown root:security ./security/passwd
  34. Using your favorite editor, edit the /home/ftp/etc/security/group file. For example: 
    vi ./security/group
  35. Add the following lines to the file: 
    system:*:0: 
staff:*:1:test
  36. Save your changes and exit the editor.
  37. Use the following commands to copy the appropriate content into the /home/ftp/etc/objrepos directory: 
    cp /etc/objrepos/CuAt ./objrepos
cp /etc/objrepos/CuAt.vc ./objrepos
cp /etc/objrepos/CuDep ./objrepos
cp /etc/objrepos/CuDv ./objrepos
cp /etc/objrepos/CuDvDr ./objrepos
cp /etc/objrepos/CuVPD ./objrepos
cp /etc/objrepos/Pd* ./objrepos
  38. Change to the /home/ftp/home directory, by typing: 
    cd ../home
  39. Make a new home directory for your user, by typing: 
    mkdir test
    This will be the home directory for the new ftp user.
  40. Change the owner and group of the /home/ftp/home/test directory to the test user and the staff group, by typing: 
    chown test:staff test
  41. Change the permissions of the /home/ftp/home/test file to -rwx------, by typing: 
    chmod 700 test

At this point, you have ftp sublogin set up on your machine. You can test this with the following procedure:

  1. Using ftp, connect to the host on which you created the test user. For example: 
    ftp MyHost
  2. Log in as anonymous. When prompted for a password, press Enter.
  3. Switch to the newly created test user, by using the following command: 
    user test
    When prompted for a password, use the password you created in step 19
  4. Use the pwd command to verify the user's home directory exists. For example: 
    ftp> pwd
     /home/test
    The output shows /home/test as an ftp subdirectory. The full path name on the host is actually /home/ftp/home/test.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]