Anonymous FTP with a secure user account setup

Edit online

You can set up anonymous FTP with a secure user account.

This scenario sets up an anonymous FTP with a secure user account, using the command line interface and a script.

  1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing the following command: 
    lslpp -L | grep bos.net.tcp.client
    If you receive no output, the fileset is not installed. For instructions on how to install it, see the Installation and migration.
  2. With root authority, change to the /usr/samples/tcpip directory. For example: 
    cd /usr/samples/tcpip
  3. To set up the account, run the following script: 
    ./anon.ftp
  4. When prompted with Are you sure you want to modify /home/ftp?, type yes. Output similar to the following displays: 
    Added user anonymous.                          
Made /home/ftp/bin directory.                  
Made /home/ftp/etc directory.                  
Made /home/ftp/pub directory.                  
Made /home/ftp/lib directory.                  
Made /home/ftp/dev/null entry.                 
Made /home/ftp/usr/lpp/msg/en_US directory.
  5. Change to the /home/ftp directory. For example: 
    cd /home/ftp
  6. Create a home subdirectory, by typing: 
    mkdir home
  7. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by typing: 
    chmod 755 home
  8. Change to the /home/ftp/etc directory, by typing: 
    cd /home/ftp/etc
  9. Create the objrepos subdirectory, by typing: 
    mkdir objrepos
  10. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-x, by typing: 
    chmod 775 objrepos
  11. Change the owner and group of the /home/ftp/etc/objrepos directory to the root user and the system group, by typing: 
    chown root:system objrepos
  12. Create a security subdirectory, by typing 
    mkdir security
  13. Change the permissions of the /home/ftp/etc/security directory to drwxr-x---, by typing: 
    chmod 750 security
  14. Change the owner and group of the /home/ftp/etc/security directory to the root user and the security group, by typing: 
    chown root:security security
  15. Change to the /home/ftp/etc/security directory, by typing: 
    cd security
  16. Add a user by typing the following SMIT fast path: 
    smit mkuser
    In this scenario, we are adding a user named test.
  17. In the SMIT fields, enter the following values: 
    User NAME                                          [test]       
ADMINISTRATIVE USER?                                true       
Primary GROUP                                      [staff]           
Group SET                                          [staff]           
Another user can SU TO USER?                        true        
HOME directory                                     [/home/test]
    After you enter your changes, press Enter to create the user. After the SMIT process completes, exit SMIT.
  18. Create a password for this user with the following command: 
    passwd test
    When prompted, enter the desired password. You must enter the new password a second time for confirmation.
  19. Change to the /home/ftp/etc directory, by typing 
    cd /home/ftp/etc
  20. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the following command: 
    cp /etc/passwd /home/ftp/etc/passwd
  21. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example: 
    vi passwd
  22. Remove all lines from the copied content except those for the root, ftp, and test users. After your edit, the content should look similar to the following: 
    root:!:0:0::/:/bin/ksh    
ftp:*:226:1::/home/ftp:/usr/bin/ksh 
test:!:228:1::/home/test:/usr/bin/ksh
  23. Save your changes and exit the editor.
  24. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by typing: 
    chmod 644 passwd
  25. Change the owner and group of the /home/ftp/etc/passwd file to the root user and the security group, by typing: 
    chown root:security passwd
  26. Copy the contents of the /etc/security/passwd file to the /home/ftp/etc/security/passwd file, using the following command: 
    cp /etc/security/passwd /home/ftp/etc/security/passwd
  27. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For example: 
    vi ./security/passwd
  28. Remove all stanzas from the copied content except the stanza for the test user.
  29. Remove the flags = ADMCHG line from the test user stanza. After your edits, the content should look similar to the following: 
    test:                        
        password = 2HaAYgpDZX3Tw
        lastupdate = 990633278
  30. Save your changes and exit the editor.
  31. Change the permissions of the /home/ftp/etc/security/passwd file to -rw-------, by typing: 
    chmod 600 ./security/passwd
  32. Change the owner and group of the /home/ftp/etc/security/passwd file to the root user and the security group, by typing: 
    chown root:security ./security/passwd
  33. Using your favorite editor, create and edit the /home/ftp/etc/group file. For example: 
    vi group
  34. Add the following lines to the file: 
    system:*:0: 
staff:*:1:test
  35. Save your changes and exit the editor.
  36. Change the permissions of the /home/ftp/etc/group file to -rw-r--r-–, by typing: 
    chmod 644 group
  37. Change the owner and group of the /home/ftp/etc/group file to the root user and the security group, by typing: 
    chown root:security group
  38. Using your favorite editor, create and edit the /home/ftp/etc/security/group file. For example: 
    vi ./security/group
  39. Add the following lines to the file: 
    system:
	admin = true
staff
	admin = false
  40. Save your changes and exit the editor.
    To do this, perform the following steps:
    1. Copy the /etc/security/user file to the /home/ftp/etc/security directory, by typing:
      cp /etc/security/user /home/ftp/etc/security
cd /home/ftp/etc/
    2. Remove all stanzas from the copied content, except the stanza for the test user, using the editor by typing: 
      vi ./security/user
    3. Save and exit the editor.
  41. Change the permissions of the /home/ftp/etc/security/group file to -rw-r-----, by typing: 
    chmod 640 ./security/group
  42. Change the owner and group of the /home/ftp/etc/security/group file to the root user and the security, by typing: 
    chown root:security ./security/group
  43. Use the following commands to copy the appropriate content into the /home/ftp/etc/objrepos directory: 
    cp /etc/objrepos/CuAt ./objrepos
cp /etc/objrepos/CuAt.vc ./objrepos
cp /etc/objrepos/CuDep ./objrepos
cp /etc/objrepos/CuDv ./objrepos
cp /etc/objrepos/CuDvDr ./objrepos
cp /etc/objrepos/CuVPD ./objrepos
cp /etc/objrepos/Pd* ./objrepos
  44. Change to the /home/ftp/home directory, by typing: 
    cd ../home
  45. Make a new home directory for your user, by typing: 
    mkdir test
    This will be the home directory for the new ftp user.
  46. Change the owner and group of the /home/ftp/home/test directory to the test user and the staff group, by typing: 
    chown test:staff test
  47. Change the permissions of the /home/ftp/home/test file to -rwx------, by typing: 
    chmod 700 test
  48. Disable the remote login and the console login for the test user, by typing: 
    chuser login=false rlogin=false test
At this point, you have ftp sublogin set up on your machine. You can test this with the following procedure:
  1. Using ftp, connect to the host on which you created the test user. For example: 
    ftp MyHost
  2. Log in as anonymous. When prompted for a password, press Enter.
  3. Switch to the newly created test user, by using the following command: 
    user test
    When prompted for a password, use the password you created in step 18
  4. Use the pwd command to verify the user's home directory exists. For example: 
    ftp> pwd
     /home/test
    The output shows /home/test as an ftp subdirectory. The full path name on the host is actually /home/ftp/home/test.
Notes:
  • You can switch users only with ftp sub users. For example, test is an ftp sub user.
  • When you create ftp anonymous users, with the script anon.users.ftp, you can assign the user any name by replacing username in the script.
  • For anonymous users, because the server performs the chroot command in the home directory of the user account, any configuration-related file, such as fileftpaccess.ctl, should be in the home directory, such as ~/etc/, of the respective anonymous user. 'Writeonly,' 'readonly,' and 'readwrite,' restrictions in the /etc/ftpaccess.ctl file must have a path relative to the chrooted path.

For more information: