Securing the FTP service on HP-UX: The ftphosts and ftpgroups filesBy Chris Wong
Administrators are familiar with the /etc/ftpd/ftpusers file which is used to list users who are denied access to the FTP daemon. Typically users such as root, daemon, bin, sys, and opc are listed in this file along with any other users deemed appropriate. The /etc/ftpd/ftphosts file provides additional configuration capabilities. The ftphosts file allows the administrator to deny or allow FTP access at both the account and host level. A combination of the ftphosts file and the ftpaccess file may replace the functionality found by using tcpwrapper for FTP. The following is a sample entry that can be used in the ftphosts file:
deny root ctg500g
deny root ctg701
allow jrice ctg500g
In the above example, a user from ctg500g or ctg701 would not be able to FTP to the root user. A user on any other host would be able to FTP to the root user. Any user from ctg500g would be able to FTP to the user named jrice. A user on any other host would not be able to FTP to jrice. Obviously, the above configuration is very poor since it would allow a user on any system except the two listed to FTP and attempt to connect using root. The account name listed in the second column is the account name on the FTP server host, not the account name of the user on the remote system. To protect the root account the following line should be in the ftphosts file:
deny root *
An entry of “root” should also exist in the /etc/ftpd/ftpusers file. The format of the entries is: “deny” or “allow”, followed by the account name, followed by the host name or IP address (or range). A wild card can be used for the account name or host. Using these:
deny root * (denies FTP root access from all hosts)
deny * ctg700 (denies FTP access to all accounts from the host named ctg700)
Note that in the first line, the root user will not be able to FTP to the local system. The “*” symbol includes all hosts, including the local host. To allow FTP access to the local host, you need to include an “allow” statement before the “deny” all statement.
allow root ctg700 (where ctg700 is the local host)
deny root *
deny * ctg500g
The order of statement entries is important as the first rule that can be applied to a connection will be used. For example, if the “deny root *” statement was entered before the allow entry for the local host, the local host would never be granted access since the local host is a member of the wild card “*”. If a connection does not apply to an allow rule, the connection will still be allowed unless it is denied in a later deny rule. In other words, simply using “allow root ctg700” does not keep users from FTPing to root from other hosts.
When a connection is established, the ftphosts file is checked for security first. If security is passed, the ftpusers file is then checked. If security settings deny access at either level, access is denied. When the user is denied FTP access because of the ftphosts or ftpusers file they receive the following message:
Name (ctg500g:root): root
530 User root access denied...
Login failed.
The administrator can tell which file is causing the denial by the entries in the log. The ftphosts file will log the following message to syslog:
Feb
15
ts) FROM ctg700 [192.168.1.124], root
While denial by the ftpusers file will cause the following message to be logged to syslog:
Feb
15
To see the above type of logging in the syslog file be sure to use the “-l” (el) option in the ftpd line of the /etc/inetd.conf file. Using the ftphosts file does not require the use of the ftpaccess file.
The ftpgroups file does require the use of the ftpaccess file. Configuration of this file was introduced in the article “Securing the FTP service on HP-UX: Introduction to the ftpaccess file”(http://searchhp.techtarget.com/tip/1,289483,sid6_gci798880,00.html). For ftpgroups to work the following must be set in the ftpaccess file:
# allow use of private file for SITE GROUP and SITE GPASS?
private yes
The
ftpgroups file allows the administrator to configure additional groups for use
with the “SITE GROUP” FTP command. This will allow FTP users access to files that
are owned by a different group. The user is not a member of this group. The groups listed are actual groups that can
be found in the /etc/group file. In this example the following files are
locating in a directory called /home/
ctg700#: ll -d /home/seattle
dr-xrwx--- 2 root
ctg700#: ll /home/seattle
total 0
----rwx--- 1 root seattle 0 Feb 15 12:55 file1
----rwx--- 1 root seattle 0 Feb 15 12:55 file2
----rwx--- 1 root seattle 0 Feb 15 12:55 file3
A user who is not a member of the seattle group will not be able to access these files with FTP, as shown in the following example:
ftp> ls /home/seattle
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
/home/seattle
unreadable
To allow the FTP user access to these files the ftpgroups file must be configured. This file contains three fields: the FTP access group name, an encrypted password, and the group name (as found in /etc/group). The first and last fields can be the same. First, create an encrypted password for the group. This example shows how to create an encrypted password for the password called “mypass78”. Note that with this method, the ASCII password must be 8 characters.
ctg700#: PASS=mypass78
ctg700#: KEY=5f
ctg700#: ENCRPASS=`echo $PASS$KEY | /usr/lib/makekey`
ctg700#: echo $ENCRPASS
5f7CR5ESsudcQ
The following entry is placed in the /etc/ftpd/ftpgroups file using the encrypted password created with the makekey command:
myseattle:5f7CR5ESsudcQ:
ftp> site GROUP myseattle
200 Request for access to group myseattle accepted.
ftp> site GPASS mypass78
200 Group access enabled.
ftp> ls /home/seattle
200 PORT command successful.
150 Opening ASCII mode data connection for /usr/bin/ls.
total 0
----rwx--- 1 root seattle 0 Feb 15 12:55 file1
----rwx--- 1 root seattle 0 Feb 15 12:55 file2
----rwx--- 1 root seattle 0 Feb 15 12:55 file3
226 Transfer complete.
ftp>
Using a group password with FTP does not increase security. It creates a means for a user to gain additional privileges. It is similar to putting a password on a group in /etc/groups. If a user is not a member of a group, they cannot become one. However, if you put a password on a group and it is guessed, they become a member of this group. By the same reasoning, putting a password on a group for FTP grants users an opportunity to gain additional access by giving them the chance to guess the password. It is much safer for regular shell users and FTP users to make the user a member of the group in /etc/group.
There are circumstances where configuring the ftpgroups file may be necessary. For example, say you only want to allow one FTP user (say ftp123) for all users who are FTPing to the server. Some users might need access to additional files, for those users, they could use the GROUP and GPASS command to gain additional access. In this respect, you would have one FTP user (ftp123) but their access rights would vary from user to user based on the group passwords they know.
A few additional warnings about using GPASS and the ftpgroup file.
1). Password is sent in the clear
2). Password is displayed on the screen in plain text as typed
3). Password in plain text remains on the screen (can be viewed by scrolling back)
Next time we will discuss anonymous FTP and how to create a restricted FTP user account.
Chris Wong is a technical consultant and trainer based in
Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security. http://newfdawg.com
|
All Rights
Reserved, Copyright 2000 - 2002,
TechTarget |
|
|
|
SearchHP.com
is a search service provided by TechTarget and is completely |
||