advertisement
v Protect the input field separator (IFS) environment variable from being changed in the /etc/profile file.
The IFS environment variable in the .profile file can be used to alter the PATH value.
Set Up Anonymous FTP with a Secure User Account
This scenario sets up an anonymous ftp with a secure user account, using the command line interface and a script.
Note: This scenario cannot be used on a system with the Controlled Access Protection Profile (CAPP) with Evaluation Assurance Level 4+ (EAL4+) feature.
1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing the following command: lslpp -L | grep bos.net.tcp.client
If you receive no output, the fileset is not installed. For instructions on how to install it, see the AIX 5L
Version 5.2 Installation Guide and Reference.
2. Verify that you have at least 8 MB of free space available in the system’s /home directory, by typing the following command: df -k /home
files and directories. If you need to increase the amount of available space, see the AIX 5L Version
5.2 System Management Guide: Operating System and Devices.
3. With root authority, change to the /usr/samples/tcpip directory. For example: cd /usr/samples/tcpip
4. To set up the account, run the following script:
./anon.ftp
5. When prompted with Are you sure you want to modify /home/ftp?, type yes. Output similar to the following displays:
Added user anonymous.
Made /home/ftp/bin directory.
Made /home/ftp/etc directory.
Made /home/ftp/pub directory.
Made /home/ftp/lib directory.
Made /home/ftp/dev/null entry.
Made /home/ftp/usr/lpp/msg/en_US directory.
6. Change to the /home/ftp directory. For example: cd /home/ftp
7. Create a home subdirectory, by typing: mkdir home
8. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by typing: chmod 755 home
9. Change to the /home/ftp/etc directory, by typing: cd /home/ftp/etc
10. Create the objrepos subdirectory, by typing: mkdir objrepos
11. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-x, by typing: chmod 775 objrepos
12. Change the owner and group of the /home/ftp/etc/objrepos directory to the root user and the system group, by typing: chown root:system objrepos
13. Create a security subdirectory, by typing:
Chapter 2. Users, Roles, and Passwords
31
mkdir security
14. Change the permissions of the /home/ftp/etc/security directory to drwxr-x---, by typing: chmod 750 security
15. Change the owner and group of the /home/ftp/etc/security directory to the root user and the security group, by typing: chown root:security security
16. Change to the /home/ftp/etc/security directory, by typing: cd security
17. Add a user by typing the following SMIT fast path: smit mkuser
In this scenario, we are adding a user named test.
18. In the SMIT fields, enter the following values:
User NAME
ADMINISTRATIVE USER?
Primary GROUP
Group SET
Another user can SU TO USER?
HOME directory
[test] true
[staff]
[staff] true
[/home/test]
After you enter your changes, press Enter to create the user. After the SMIT process completes, exit
SMIT.
19. Create a password for this user with the following command: passwd test
When prompted, enter the desired password. You must enter the new password a second time for confirmation.
20.
Change to the /home/ftp/etc directory, by typing: cd /home/ftp/etc
21. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the following command: cp /etc/passwd /home/ftp/etc/passwd
22. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example: vi passwd
23. Remove all lines from the copied content except those for the root, ftp, and test users. After your edit, the content should look similar to the following: root:!:0:0::/:/bin/ksh ftp:*:226:1::/home/ftp:/usr/bin/ksh test:!:228:1::/home/test:/usr/bin/ksh
24. Save your changes and exit the editor.
25. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by typing: chmod 644 passwd
26. Change the owner and group of the /home/ftp/etc/passwd file to the root user and the security group, by typing: chown root:security passwd
27. Copy the contents of the /etc/security/passwd file to the /home/ftp/etc/security/passwd file, using the following command: cp /etc/security/passwd /home/ftp/etc/security/passwd
28. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For example: vi ./security/passwd
29. Remove all stanzas from the copied content except the stanza for the test user.
32
AIX 5L Version 5.2: Security Guide
30. Remove the flags = ADMCHG line from the test user stanza. After your edits, the content should look similar to the following: test: password = 2HaAYgpDZX3Tw lastupdate = 990633278
31. Save your changes and exit the editor.
32. Change the permissions of the /home/ftp/etc/security/passwd file to -rw-------, by typing: chmod 600 ./security/passwd
33. Change the owner and group of the /home/ftp/etc/security/passwd file to the root user and the security group, by typing: chown root:security ./security/passwd
34. Using your favorite editor, edit the /home/ftp/etc/security/group file. For example: vi ./security/group
35. Add the following lines to the file: system:*:0: staff:*:1:test
36. Save your changes and exit the editor.
37. Use the following commands to copy the appropriate content into the /home/ftp/etc/objrepos directory: cp /etc/objrepos/CuAt ./objrepos cp /etc/objrepos/CuAt.vc ./objrepos cp /etc/objrepos/CuDep ./objrepos cp /etc/objrepos/CuDv ./objrepos cp /etc/objrepos/CuDvDr ./objrepos cp /etc/objrepos/CuVPD ./objrepos cp /etc/objrepos/Pd* ./objrepos
38. Change to the /home/ftp/home directory, by typing: cd ../home
39. Make a new home directory for your user, by typing: mkdir test
This will be the home directory for the new ftp user.
40. Change the owner and group of the /home/ftp/home/test directory to the test user and the staff group, by typing: chown test:staff test
41. Change the permissions of the /home/ftp/home/test file to -rwx------, by typing: chmod 700 test
At this point, you have ftp sublogin set up on your machine. You can test this with the following procedure:
1. Using ftp, connect to the host on which you created the test user. For example: ftp MyHost
2. Log in as anonymous. When prompted for a password, press Enter.
3. Switch to the newly created test user, by using the following command: user test
When prompted for a password, use the password you created in step 19 on page 32
4.
Use the pwd command to verify the user’s home directory exists. For example: ftp> pwd
/home/test
The output shows /home/test as an ftp subdirectory. The full path name on the host is actually
/home/ftp/home/test.
Chapter 2. Users, Roles, and Passwords
33
advertisement
Related manuals
advertisement
Table of contents
- 9 Who Should Use This Book
- 9 Highlighting
- 9 Case-Sensitivity in AIX
- 9 ISO 9000
- 10 Related Publications
- 13 Trusted Computing Base
- 13 Installing a System with the Trusted Computing Base
- 14 Checking the Trusted Computing Base
- 14 Structure of the sysck.cfg file
- 15 Using the tcbck Command
- 17 Configuring Additional Trusted Options
- 18 Controlled Access Protection Profile and Evaluation Assurance Level 4+
- 18 CAPP/EAL4+ Compliant System Overview
- 19 Installing a CAPP/EAL4+ System
- 19 CAPP/EAL4+ Software Bundle
- 20 Physical Environment for a CAPP/EAL4+ System
- 20 Organizational Environment for a CAPP/EAL4+ System
- 21 System Configuration for a CAPP/EAL4+ System
- 28 Login Control
- 28 Setting Up Login Controls
- 29 Changing the Welcome Message on the Login Screen
- 29 Changing the Login Screen for the Common Desktop Environment
- 29 Setting up System Default Login Parameters
- 29 Securing Unattended Terminals
- 29 Enforcing Automatic Logoff
- 31 Managing X11 and CDE Concerns
- 31 Removing the /etc/rc.dt File
- 31 Preventing Unauthorized Monitoring of Remote X Server
- 31 Enabling and Disabling Access Control
- 31 Disabling User Permissions to Run the xhost Command
- 33 Root Account
- 33 Disabling Direct root Login
- 34 Administrative Roles
- 34 Roles Overview
- 34 Setting Up and Maintaining Roles Using SMIT
- 35 Understanding Authorizations
- 38 User Accounts
- 38 Recommended User Attributes
- 39 User Account Control
- 40 Login User IDs
- 40 Strengthening User Security with Access Control Lists
- 40 PATH Environment Variable
- 41 Set Up Anonymous FTP with a Secure User Account
- 44 System Special User Accounts
- 44 Removing Unnecessary Default User Accounts
- 45 Access Control Lists
- 46 Using setuid and setgid Programs
- 47 Base Permissions
- 47 Extended Permissions
- 48 Access Control List Example
- 49 Access Authorization
- 50 Passwords
- 50 Establishing Good Passwords
- 51 Using the /etc/passwd File
- 52 Using the /etc/passwd File and Network Environments
- 52 Hiding User Names and Passwords
- 52 Setting Recommended Password Options
- 54 Extending Password Restrictions
- 55 User Authentication
- 55 Login User IDs
- 55 Disk Quota System Overview
- 55 Understanding the Disk Quota System
- 56 Recovering from Over-Quota Conditions
- 56 Setting Up the Disk Quota System
- 59 Auditing Subsystem
- 59 Detecting Events
- 59 Collecting Event Information
- 60 Processing the Audit Trail Information
- 60 Event Selection
- 61 Auditing Subsystem Configuration
- 61 Collecting Auditing Subsystem Information
- 61 Audit Logging
- 62 Audit Record Format
- 62 Audit Logger Configuration
- 62 Selecting Audit Events
- 62 Kernel Audit Trail Modes
- 64 Processing Audit Records
- 65 Using the Audit Susbystem for a Quick Security Check
- 65 Setting Up Auditing
- 66 Selecting Audit Events
- 67 Selecting Audit Classes
- 67 Selecting an Audit Data-Collection Method
- 67 Example of Real-Time File Modification Monitoring
- 68 Example of a Generic Audit Log Scenario
- 71 Setting Up an LDAP Security Information Server
- 72 Setting Up an LDAP Client
- 73 LDAP User Management
- 74 LDAP Host Access Control
- 74 LDAP Security Information Server Auditing
- 75 LDAP Commands
- 75 The mksecldap Command
- 78 The secldapclntd Daemon
- 79 LDAP Management Commands
- 81 The ldap.cfg File Format
- 82 Mapping File Format for LDAP Attributes
- 83 Related Information
- 85 IBM 4758 Model 2 Cryptographic Coprocessor
- 85 Verifying the IBM 4758 Model 2 Cryptographic Coprocessor for use with the PKCS #11 Subsystem
- 86 PKCS #11 Subsystem Configuration
- 86 Initializing the Token
- 86 Setting the Security Officer PIN
- 86 Initializing the User PIN
- 87 Setting the PKCS #11 Function Control Vector
- 87 PKCS #11 Usage
- 89 Overview of Certificate Authentication Service
- 90 Certificates
- 91 Keystores
- 91 Implementation of Certificate Authentication Service
- 91 Creating PKI User Accounts
- 92 Server Implementation
- 93 Client Implementation
- 101 Planning for Certificate Authentication Service
- 101 Certificate Considerations
- 101 Keystore Considerations
- 102 User Registry Considerations
- 102 Configuration Considerations
- 102 Security Considerations
- 103 Other Certificate Authentication Service Considerations
- 103 Packaging of Certificate Authentication Service
- 104 Installing and Configuring Certificate Authentication Service
- 104 Install and Configure the LDAP Server
- 107 Install and Configure Certificate Authentication Service Server
- 107 Configure LDAP For Certificate Authentication Service Server
- 109 Configure Certificate Authentication Service Client
- 113 Administration Configuration Examples
- 117 PAM Library
- 118 PAM Modules
- 119 PAM Configuration File
- 120 Adding a PAM Module
- 120 Changing the /etc/pam.conf
- 121 Enabling PAM Debug
- 121 Integrating PAM in AIX
- 121 PAM Module
- 122 pam_aix Module
- 126 Using OpenSSH with PAM
- 131 Operating System-Specific Security
- 131 Network Access Control
- 132 Network Auditing
- 132 Trusted Path, Trusted Shell, and Secure Attention Key (SAK)
- 133 TCP/IP Command Security
- 134 Remote Command Execution Access (/etc/hosts.equiv)
- 135 Restricted File Transfer Program Users (/etc/ftpusers)
- 135 Trusted Processes
- 136 Network Trusted Computing Base
- 137 Data Security and Information Protection
- 138 User Based TCP Port Access Control with Discretionary Access Control for Internet Ports
- 138 Access control for TCP based services
- 139 Privileged Ports for Running Local Services
- 141 Identifying Network Services with Open Communication Ports
- 143 Identifying TCP and UDP Sockets
- 145 IP Security Overview
- 145 IP Security and the Operating System
- 146 IP Security Features
- 147 Security Associations
- 147 Tunnels and Key Management
- 148 Native Filtering Capability
- 149 Digital Certificate Support
- 149 Virtual Private Networks and IP Security
- 150 Installing the IP Security Feature
- 150 Loading IP Security
- 151 Planning IP Security Configuration
- 151 Hardware Acceleration
- 152 Tunnels Versus Filters
- 153 Tunnels and Security Associations
- 154 Tunnel Considerations
- 157 Using IKE with DHCP or Dynamically Assigned Addresses
- 159 Configuring Internet Key Exchange Tunnels
- 159 Using Web-based System Manager to Configure IKE Tunnels
- 161 Using the SMIT Interface for IKE Tunnel Configuration
- 161 Command Line Interface for IKE Tunnel Configuration
- 164 IKE Tunnel Configuration Scenarios
- 165 Working with Digital Certificates and the Key Manager
- 165 Format of Digital Certificates
- 166 Security Considerations for Digital Certificates
- 167 Certificate Revocation Lists (CRLs)
- 167 Uses for Digital Certificates in Internet Applications
- 168 Digital Certificates and Certificate Requests
- 168 The Key Manager Tool
- 175 Configuring Manual Tunnels
- 175 Setting Up Tunnels and Filters
- 175 Creating a Manual Tunnel on the First Host
- 176 Creating a Manual Tunnel on the Second Host
- 178 Setting Up Filters
- 178 Static Filter Rules
- 181 Autogenerated Filter Rules and User Specified Filter Rules
- 182 Predefined Filter Rules
- 182 Subnet Masks
- 183 Host-Firewall-Host Configuration
- 184 Logging Facilities
- 186 Labels in Field Entries
- 188 IP Security Problem Determination
- 188 Troubleshooting Manual Tunnel Errors
- 189 Troubleshooting IKE Tunnel Errors
- 195 Tracing Facilities
- 195 ipsecstat
- 197 IP Security Reference
- 197 List of Commands
- 197 List of Methods
- 199 Operating System Security Mechanisms
- 201 NIS+ Security Mechanisms
- 202 NIS+ Principals
- 202 NIS+ Security Levels
- 204 NIS+ Authentication and Credentials
- 204 User and Machine Credentials
- 204 DES versus Local Credentials
- 206 NIS+ Authorization and Access
- 206 Authorization Classes
- 208 NIS+ Access Rights
- 210 NIS+ Security and Administrative Rights
- 211 NIS+ Security Reference
- 213 NFS Authentication
- 213 Public Key Cryptography for Secure NFS
- 214 NFS Authentication Requirements
- 214 NFS Authentication Process
- 215 Naming Network Entities for DES Authentication
- 216 The /etc/publickey File
- 216 Booting Considerations of Public Key Systems
- 216 Performance Considerations of Secure NFS
- 217 Checklist for Administering Secure NFS
- 217 Configuring Secure NFS
- 218 Exporting a File System Using Secure NFS
- 219 Mounting a File System Using Secure NFS
- 221 Managing Multiple User Registries
- 221 Current Approaches
- 222 Using Enterprise Identity Mapping
- 223 Understanding the Secure Remote Commands
- 224 System Configuration
- 224 Kerberos Version 5 User Validation
- 224 DCE Configuration
- 225 Local Configuration
- 225 Related Information
- 225 Authenticating to AIX Using Kerberos
- 225 Installing and Configuring the System for Kerberos Integrated Login Using KRB5
- 229 Installing and Configuring the System for Kerberos Integrated Login Using KRB5A
- 230 KRB5A Authentication Load Module Questions and Troubleshooting Information
- 230 How do I Configure an AIX Kerberos Client that Authenticates Against an Active Directory Server KDC
- 231 How do I Modify AIX Configuration for Kerberos Integrated Login
- 232 How do I Create an AIX User for Kerberos Integrated Login with the KRB5A Load Module
- 232 How do I Create Kerberos Principals on Active Directory
- 232 How do I Change the Password of Kerberos Authenticated User
- 232 How do I Remove a Kerberos Authenticated User
- 232 How do I Migrate an AIX User to a Kerberos Authenticated User
- 232 What do I do if the Password is Forgotten
- 232 What is the Purpose of the auth_name and auth_domain Attributes
- 233 Can a Kerberos-Authenticated User Become Authenticated Using Standard AIX Authentication
- 233 Do I Need to Set up Kerberos Server (KDC) on AIX When Using a Windows 2000 Active Directory Server
- 233 AIX Does not Accept my Password
- 233 Cannot Log Into the System
- 239 Security Web Sites
- 239 Security Mailing Lists
- 239 Security Online References
- 256 Trademarks