advertisement
v Protect the input field separator (IFS) environment variable from being changed in the /etc/profile file.
The IFS environment variable in the .profile file can be used to alter the PATH value.
Set Up Anonymous FTP with a Secure User Account
This scenario sets up an anonymous ftp with a secure user account, using the command line interface and a script.
Note: This scenario cannot be used on a system with the Controlled Access Protection Profile (CAPP) with Evaluation Assurance Level 4+ (EAL4+) feature.
1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing the following command: lslpp -L | grep bos.net.tcp.client
If you receive no output, the fileset is not installed. For instructions on how to install it, see the AIX 5L
Version 5.2 Installation Guide and Reference.
2. Verify that you have at least 8 MB of free space available in the system’s /home directory, by typing the following command: df -k /home
files and directories. If you need to increase the amount of available space, see the AIX 5L Version
5.2 System Management Guide: Operating System and Devices.
3. With root authority, change to the /usr/samples/tcpip directory. For example: cd /usr/samples/tcpip
4. To set up the account, run the following script:
./anon.ftp
5. When prompted with Are you sure you want to modify /home/ftp?, type yes. Output similar to the following displays:
Added user anonymous.
Made /home/ftp/bin directory.
Made /home/ftp/etc directory.
Made /home/ftp/pub directory.
Made /home/ftp/lib directory.
Made /home/ftp/dev/null entry.
Made /home/ftp/usr/lpp/msg/en_US directory.
6. Change to the /home/ftp directory. For example: cd /home/ftp
7. Create a home subdirectory, by typing: mkdir home
8. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by typing: chmod 755 home
9. Change to the /home/ftp/etc directory, by typing: cd /home/ftp/etc
10. Create the objrepos subdirectory, by typing: mkdir objrepos
11. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-x, by typing: chmod 775 objrepos
12. Change the owner and group of the /home/ftp/etc/objrepos directory to the root user and the system group, by typing: chown root:system objrepos
13. Create a security subdirectory, by typing:
Chapter 2. Users, Roles, and Passwords
31
mkdir security
14. Change the permissions of the /home/ftp/etc/security directory to drwxr-x---, by typing: chmod 750 security
15. Change the owner and group of the /home/ftp/etc/security directory to the root user and the security group, by typing: chown root:security security
16. Change to the /home/ftp/etc/security directory, by typing: cd security
17. Add a user by typing the following SMIT fast path: smit mkuser
In this scenario, we are adding a user named test.
18. In the SMIT fields, enter the following values:
User NAME
ADMINISTRATIVE USER?
Primary GROUP
Group SET
Another user can SU TO USER?
HOME directory
[test] true
[staff]
[staff] true
[/home/test]
After you enter your changes, press Enter to create the user. After the SMIT process completes, exit
SMIT.
19. Create a password for this user with the following command: passwd test
When prompted, enter the desired password. You must enter the new password a second time for confirmation.
20.
Change to the /home/ftp/etc directory, by typing: cd /home/ftp/etc
21. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the following command: cp /etc/passwd /home/ftp/etc/passwd
22. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example: vi passwd
23. Remove all lines from the copied content except those for the root, ftp, and test users. After your edit, the content should look similar to the following: root:!:0:0::/:/bin/ksh ftp:*:226:1::/home/ftp:/usr/bin/ksh test:!:228:1::/home/test:/usr/bin/ksh
24. Save your changes and exit the editor.
25. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by typing: chmod 644 passwd
26. Change the owner and group of the /home/ftp/etc/passwd file to the root user and the security group, by typing: chown root:security passwd
27. Copy the contents of the /etc/security/passwd file to the /home/ftp/etc/security/passwd file, using the following command: cp /etc/security/passwd /home/ftp/etc/security/passwd
28. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For example: vi ./security/passwd
29. Remove all stanzas from the copied content except the stanza for the test user.
32
AIX 5L Version 5.2: Security Guide
30. Remove the flags = ADMCHG line from the test user stanza. After your edits, the content should look similar to the following: test: password = 2HaAYgpDZX3Tw lastupdate = 990633278
31. Save your changes and exit the editor.
32. Change the permissions of the /home/ftp/etc/security/passwd file to -rw-------, by typing: chmod 600 ./security/passwd
33. Change the owner and group of the /home/ftp/etc/security/passwd file to the root user and the security group, by typing: chown root:security ./security/passwd
34. Using your favorite editor, edit the /home/ftp/etc/security/group file. For example: vi ./security/group
35. Add the following lines to the file: system:*:0: staff:*:1:test
36. Save your changes and exit the editor.
37. Use the following commands to copy the appropriate content into the /home/ftp/etc/objrepos directory: cp /etc/objrepos/CuAt ./objrepos cp /etc/objrepos/CuAt.vc ./objrepos cp /etc/objrepos/CuDep ./objrepos cp /etc/objrepos/CuDv ./objrepos cp /etc/objrepos/CuDvDr ./objrepos cp /etc/objrepos/CuVPD ./objrepos cp /etc/objrepos/Pd* ./objrepos
38. Change to the /home/ftp/home directory, by typing: cd ../home
39. Make a new home directory for your user, by typing: mkdir test
This will be the home directory for the new ftp user.
40. Change the owner and group of the /home/ftp/home/test directory to the test user and the staff group, by typing: chown test:staff test
41. Change the permissions of the /home/ftp/home/test file to -rwx------, by typing: chmod 700 test
At this point, you have ftp sublogin set up on your machine. You can test this with the following procedure:
1. Using ftp, connect to the host on which you created the test user. For example: ftp MyHost
2. Log in as anonymous. When prompted for a password, press Enter.
3. Switch to the newly created test user, by using the following command: user test
When prompted for a password, use the password you created in step 19 on page 32
4.
Use the pwd command to verify the user’s home directory exists. For example: ftp> pwd
/home/test
The output shows /home/test as an ftp subdirectory. The full path name on the host is actually
/home/ftp/home/test.
Chapter 2. Users, Roles, and Passwords
33
advertisement
Related manuals
advertisement