Anonymous FTP with a secure user account setup

Edit online

You can set up anonymous FTP with a secure user account.

This scenario sets up an anonymous FTP with a secure user account, using the command line interface and a script.

  1. Verify that the bos.net.tcp.client fileset is installed on your system, by typing the following command: 
    lslpp -L | grep bos.net.tcp.client
    If you receive no output, the fileset is not installed. For instructions on how to install it, see Installation and migration.
  2. With root authority, change to the /usr/samples/tcpip directory. For example: 
    cd /usr/samples/tcpip
  3. To set up the account, run the following script: 
    ./anon.ftp
  4. When prompted with Are you sure you want to modify /home/ftp?, type yes. Output similar to the following displays: 
    Added user anonymous.                          
Made /home/ftp/bin directory.                  
Made /home/ftp/etc directory.                  
Made /home/ftp/pub directory.                  
Made /home/ftp/lib directory.                  
Made /home/ftp/dev/null entry.                 
Made /home/ftp/usr/lpp/msg/en_US directory.
  5. Change to the /home/ftp directory. For example: 
    cd /home/ftp
  6. Create a home subdirectory, by typing: 
    mkdir home
  7. Change the permissions of the /home/ftp/home directory to drwxr-xr-x, by typing: 
    chmod 755 home
  8. Change to the /home/ftp/etc directory, by typing: 
    cd /home/ftp/etc
  9. Create the objrepos subdirectory, by typing: 
    mkdir objrepos
  10. Change the permissions of the /home/ftp/etc/objrepos directory to drwxrwxr-x, by typing: 
    chmod 775 objrepos
  11. Change the owner and group of the /home/ftp/etc/objrepos directory to the root user and the system group, by typing: 
    chown root:system objrepos
  12. Create a security subdirectory, by typing 
    mkdir security
  13. Change the permissions of the /home/ftp/etc/security directory to drwxr-x---, by typing: 
    chmod 750 security
  14. Change the owner and group of the /home/ftp/etc/security directory to the root user and the security group, by typing: 
    chown root:security security
  15. Change to the /home/ftp/etc/security directory, by typing: 
    cd security
  16. Add a user by typing the following SMIT fast path: 
    smit mkuser
    In this scenario, we are adding a user named test.
  17. In the SMIT fields, enter the following values: 
    User NAME                                          [test]       
ADMINISTRATIVE USER?                                true       
Primary GROUP                                      [staff]           
Group SET                                          [staff]           
Another user can SU TO USER?                        true        
HOME directory                                     [/home/test]
    After you enter your changes, press Enter to create the user. After the SMIT process completes, exit SMIT.
  18. Create a password for this user with the following command: 
    passwd test
    When prompted, enter the desired password. You must enter the new password a second time for confirmation.
  19. Change to the /home/ftp/etc directory, by typing 
    cd /home/ftp/etc
  20. Copy the /etc/passwd file to the /home/ftp/etc/passwd file, using the following command: 
    cp /etc/passwd /home/ftp/etc/passwd
  21. Using your favorite editor, edit the /home/ftp/etc/passwd file. For example: 
    vi passwd
  22. Remove all lines from the copied content except those for the root, ftp, and test users. After your edit, the content should look similar to the following: 
    root:!:0:0::/:/bin/ksh    
ftp:*:226:1::/home/ftp:/usr/bin/ksh 
test:!:228:1::/home/test:/usr/bin/ksh
  23. Save your changes and exit the editor.
  24. Change the permissions of the /home/ftp/etc/passwd file to -rw-r--r--, by typing: 
    chmod 644 passwd
  25. Change the owner and group of the /home/ftp/etc/passwd file to the root user and the security group, by typing: 
    chown root:security passwd
  26. Copy the contents of the /etc/security/passwd file to the /home/ftp/etc/security/passwd file, using the following command: 
    cp /etc/security/passwd /home/ftp/etc/security/passwd
  27. Using your favorite editor, edit the /home/ftp/etc/security/passwd file. For example: 
    vi ./security/passwd
  28. Remove all stanzas from the copied content except the stanza for the test user.
  29. Remove the flags = ADMCHG line from the test user stanza. After your edits, the content should look similar to the following: 
    test:                        
        password = 2HaAYgpDZX3Tw
        lastupdate = 990633278
  30. Save your changes and exit the editor.
  31. Change the permissions of the /home/ftp/etc/security/passwd file to -rw-------, by typing: 
    chmod 600 ./security/passwd
  32. Change the owner and group of the /home/ftp/etc/security/passwd file to the root user and the security group, by typing: 
    chown root:security ./security/passwd
  33. Using your favorite editor, create and edit the /home/ftp/etc/group file. For example: 
    vi group
  34. Add the following lines to the file: 
    system:*:0: 
staff:*:1:test
  35. Save your changes and exit the editor.
  36. Change the permissions of the /home/ftp/etc/group file to -rw-r--r-–, by typing: 
    chmod 644 group
  37. Change the owner and group of the /home/ftp/etc/group file to the root user and the security group, by typing: 
    chown root:security group
  38. Using your favorite editor, create and edit the /home/ftp/etc/security/group file. For example: 
    vi ./security/group
  39. Add the following lines to the file: 
    system:
	admin = true
staff
	admin = false
  40. Save your changes and exit the editor.
    To do this, perform the following steps:
    1. Copy the /etc/security/user file to the /home/ftp/etc/security directory, by typing:
      cp /etc/security/user /home/ftp/etc/security
cd /home/ftp/etc/
    2. Remove all stanzas from the copied content, except the stanza for the test user, using the editor by typing: 
      vi ./security/user
    3. Save and exit the editor.
  41. Change the permissions of the /home/ftp/etc/security/group file to -rw-r-----, by typing: 
    chmod 640 ./security/group
  42. Change the owner and group of the /home/ftp/etc/security/group file to the root user and the security, by typing: 
    chown root:security ./security/group
  43. Use the following commands to copy the appropriate content into the /home/ftp/etc/objrepos directory: 
    cp /etc/objrepos/CuAt ./objrepos
cp /etc/objrepos/CuAt.vc ./objrepos
cp /etc/objrepos/CuDep ./objrepos
cp /etc/objrepos/CuDv ./objrepos
cp /etc/objrepos/CuDvDr ./objrepos
cp /etc/objrepos/CuVPD ./objrepos
cp /etc/objrepos/Pd* ./objrepos
  44. Change to the /home/ftp/home directory, by typing: 
    cd ../home
  45. Make a new home directory for your user, by typing: 
    mkdir test
    This will be the home directory for the new ftp user.
  46. Change the owner and group of the /home/ftp/home/test directory to the test user and the staff group, by typing: 
    chown test:staff test
  47. Change the permissions of the /home/ftp/home/test file to -rwx------, by typing: 
    chmod 700 test
  48. Disable the remote login and the console login for the test user, by typing: 
    chuser login=false rlogin=false test
At this point, you have ftp sublogin set up on your machine. You can test this with the following procedure:
  1. Using ftp, connect to the host on which you created the test user. For example: 
    ftp MyHost
  2. Log in as anonymous. When prompted for a password, press Enter.
  3. Switch to the newly created test user, by using the following command: 
    user test
    When prompted for a password, use the password you created in step 18
  4. Use the pwd command to verify the user's home directory exists. For example: 
    ftp> pwd
     /home/test
    The output shows /home/test as an ftp subdirectory. The full path name on the host is actually /home/ftp/home/test.
Notes:
  • You can switch users only with ftp sub users. For example, test is an ftp sub user.
  • When you create ftp anonymous users, with the script anon.users.ftp, you can assign the user any name by replacing username in the script.
  • For anonymous users, because the server performs the chroot command in the home directory of the user account, any configuration-related file, such as fileftpaccess.ctl, should be in the home directory, such as ~/etc/, of the respective anonymous user. 'Writeonly,' 'readonly,' and 'readwrite,' restrictions in the /etc/ftpaccess.ctl file must have a path relative to the chrooted path.