IBM Support

Control FTP using PAM

Question & Answer


Question

Using PAM (Pluggable Authentication Module) to control File Transfer Protocole

Answer

The below procedure will illustrate how to control FTP access using PAM configuration

01. Login to your AIX system as root.

02. Create users "mash1" and "mash2" and assign passwords:
# mkuser mash1
# mkuser mash2

# passwd mash1
# passwd mash2

03. In another window, login into your AIX system as "mash1" and change your initial
Password as directed, and also do the same for "mash2" user.
- The below example shows the process:
login: mash1
mash1's Password: <Enter initial password>
[compat]: You are required to change your password. Please choose a new one.
mash1's New password: <Enter new password>
Re-enter mash1's new password: <Enter new password>

04. Return to your root session. Use the lssec command to determine the
Current setting for the auth_type parameter:
# lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=STD_AUTH

05. Use the chsec command to enable PAM authentication for all users:
# chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

06. Use the lssec command again to verify the auth_type has been changed from
STD_AUTH to PAM_AUTH:
# lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH

07. Backup the default PAM configuration file /etc/pam.conf to /etc/pam.conf.old:
# cp /etc/pam.conf /etc/pam.conf.old

08. vi the PAM configuration file /etc/pam.conf, and add the below two
Lines under the Authentication paragraph:
ftp auth required /usr/lib/security/pam_permission file=/etc/ftpusers
ftp auth required /usr/lib/security/pam_aix

09. Create the file /etc/ftpusers - which allows or prohibits authentication based on
The file content, It should contain a list of user and/or group entries in
An appropriate format. So, now add the below contents in /etc/ftpusers file:
-mash1
+mash2
+ALL


10. Testing ftp sessions using "mash1" and "mash2" users:
$ ftp aix.test.egypt
Connected to ftp aix.test.egypt
220 ftp aix.test.egypt FTP server (Version 4.2 Mon Mar 14 13:05:32 CDT 2016) ready.
Name (ftp aix.test.egypt): mash1
331 Password required for mash1.
Password:*****
530 Login incorrect. <===
Login failed. <===
Remote system type is UNIX.
Using binary mode to transfer files.

$ ftp aix.test.egypt
Connected to ftp aix.test.egypt.
220 ftp aix.test.egypt FTP server (Version 4.2 Mon Mar 14 13:05:32 CDT 2016) ready.
Name (ftp aix.test.egypt): mash2
331 Password required for mash2.
Password:*****
230-Last login: Thu Dec 15 05:06:05 2016 on /dev/pts/1 from 10.10.10.10
230 User mash2 logged in.
Remote system type is UNIX.
Using binary mode to transfer files.


11. If you want to restore back your old PAM configurations and standard AIX
Authentications, do the below:
# cp /etc/pam.conf.old /etc/pam.conf
# chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH
# lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=STD_AUTH



Thank you very much for taking the time to read through this document.
I hope it has been helpful and easy read. If you feel you have found any inconsistencies,
Please don’t hesitate to email me at ahdmashr@eg.ibm.com

Mash

Ahmed Mashhour

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.3;6.1;7.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1024687

Page Feedback