SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


aixftp
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

aixftp [2013/02/03 14:28] (current)
sjoerd created
Line 1: Line 1:
 += AIX FTP
 +Since I restricted access for local users to my AIX boxes users have a problem with placing files on the boxes. The files needs to be accessible for local users for compiling, deploying or whatever purpose they are intended for. This is more complex than it seems, we are talking multiple users working at the same time on the same project, placing and editing files all the time. When these files are not changed to belong to a local or one user in common a permission and owner nightmare will occur. With this in mind I had to change the security model in still compliant with the security policy and that development has a workable environment. The security model allows no login from local (fictional) users accounts, and real users (employees) has to login through ssh, while being authenticated through [[aixldapedirectory|LDAP]]. [[sudo]] rights is given only to some specific users who know what they are doing and every sudo command gets logged to the [[syslog]] server which is only available to the IT-department. ​
  
 +== SSH Allow
 +First step is to make sure only LDAP authenticated users are allowed to login. To enforce this policy before this problem arose, local accounts were simply set to not be able to log on, not local nor remote. This still makes it possible to su to another user, but logging in directly is prohibited. Now, with this new requirements,​ this is not enough anymore. Now to be able to log on through ssh you have to be member of a group of the same LDAP directory. To configure this, open sshd_config and add these lines at the end of the file:
 +<​code>​
 +sjoerd@aixbox:/​home/​sjoerd>​sudo cat /​etc/​ssh/​sshd_config | grep -i group
 +# Only allow users to use ssh when member of this group
 +AllowGroups ssh-access
 +</​code>​
 +This group should be in the LDAP directory. With us, this group is configured as everyones primary group so it's an excellent group to use for this purpose.
 +
 +== Allow Remote Login
 +As said before, previously, local accounts were prohibited from logging in to the box by setting their accounts accordingly. This is not necessary anymore so you should change that so they can login:
 +<​code>​
 +sudo chuser rlogin=true <​username>​
 +</​code>​
 +Of course, before you do this make sure the users cannot login through any service except the ones you want. In [[aixpostinstall|this document]] I described the way to disable all unnecessary services from your AIX box.
 +
 +== Enable FTP
 +Now it's time to enable FTP again, because I disabled all unnecessary services from running as described [[aixpostinstall|here]]. This means I have to enable the FTP service (subserver) in the inetd subsystem, start the inetd subsystem and make sure it starts after a reboot. ​
 +\\
 +Enable FTP:
 +  chsubserver -a -v ftp -p tcp
 +
 +Start inetd subsystem:
 +  startsrc -s inetd
 +
 +Start inetd after reboot:
 +  chrctcp -a inetd
 +
 +Start inetd now and after reboot:
 +  chrctcp -S -a inetd
 +
 +Refresh inetd with new settings after you've changed config files etc:
 +  refresh -s inetd
 +
 +== Configure FTP
 +To allow a single host create a file called /​etc/​ftpaccess.ctl and:
 +<​code>​
 +sjoerd@aixbox:/​home/​sjoerd>​cat /​etc/​ftpaccess.ctl ​
 +allow:​ftpclient ​
 +</​code>​
 +NOTE: There is a <​space>​ directly after the host. I found the configuration does not work if this is not set.
 +\\
 +In case you want to restrict users from the ftp services you can create a file called /​etc/​ftpusers and:
 +<​code>​
 +sjoerd@aixbox:/​home/​sjoerd>​cat /​etc/​ftpusers
 +user1
 +user2
 +user3
 +</​code>​
 +These users are now restricted from logging in through ftp. Note that this file is case sensitive.
 +
 += Resources
 +[[http://​publib.boulder.ibm.com/​infocenter/​pseries/​v5r3/​index.jsp?​topic=/​com.ibm.aix.cmds/​doc/​aixcmds2/​ftpd.htm|FTP Daemon]] ​
 +
 +{{tag>​aix network security}}
aixftp.txt ยท Last modified: 2013/02/03 14:28 by sjoerd