HP-UX Remote Access Services Administrator's Guide HP-UX 11i v2, HP-UX 11i v3 HP Part Number: B2355-91058 Published: February 2007 Edition: 2
Legal Notices © Copyright 2004–2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document...................................................................................................................13 New and Changed Information in This Edition........................................................................13 Intended Audience................................................................................................................13 HP-UX Release Name and Release Identifier..................................................................
The ftpd Configuration Files ..................................................................................................33 Enabling or Disabling the /etc/ftpd/ftpaccess File................................................................34 FTP Configuration Files..........................................................................................................34 The /etc/ftpd/ftpconversions Configuration File..................................................................
Enabling the Identification Protocol...................................................................................59 IPv6 Support....................................................................................................................59 Virtual FTP Support...............................................................................................................59 Setting up Virtual FTP Support..........................................................................................
List of Figures 2-1 2-2 Directory Structure for Anonymous FTP Account.....................................................41 Structure of an FTP Server Hosting Two Virtual Domains ........................................
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 2-1 2-2 2-3 R-Commands...............................................................................................................17 rcp Options and Arguments........................................................................................23 The distfile Entries.......................................................................................................24 rdist Options.................................................................................
List of Examples 2-1 The passive Clause.............................................................................................................49 2-2 The restricted-uid and restricted-gid Clause.....................................................................50 2-3 The hostname Clause.........................................................................................................52 2-4 The greeting Clause.......................................................................................
About This Document This document describes the Remote Access Services implemented in the HP-UX 11i v2 and HP-UX 11i v3 operating systems. It is one of the documents available for the Internet Services suite of products. For a list of other Internet Services documents, see “Related Information” (page 14). These documents replace the document Installing and Administering Internet Services (B2355-90685), which was shipped with releases prior to the HP-UX 11i v2 operating system.
Publishing History The following table lists the publishing details of this document for various HP-UX releases.
• Request for Comments (RFC) at: http://www.ietf.org/rfc.html • Other Documents For detailed technical and conceptual information about BIND, as well as information about planning a BIND hierarchy and using Sendmail with BIND, HP recommends that you read Paul Albitz and Cricket Liu, 2001. DNS and BIND. O'Reilly and Associates, Inc. For more technical and conceptual information about Sendmail, HP recommends that you read Bryan Costales and Eric Allman, 2001.
(Ctrl+A) Bold ... | This symbol indicates that you hold down the first named key while pressing the key or mouse button that follows the plus. The defined use of an important word or phrase. The preceding element can be repeated an arbitrary number of times. Separates items in a list of choices. HP Welcomes Your Comments HP welcomes your comments concerning this document. We are committed to providing documentation that meets your needs. Send your comments or suggestions to: netinfo_feedback@cup.hp.
1 Remote Access Services Overview Remote Access Services are used to connect to the remote systems in a network. Remote access connection from outside the realm of the client and server machines to the network is usually made via a telephone and modem connection. The efficiency of the remote connection depends on the network efficiency and the type of service used. An attempt to improve the remote access servers is continuously made to assist users in connecting to more resources remotely.
Table 1-1 R-Commands (continued) R-Commands Description rcp Copies files remotely. rdist Invokes the remote file distribution program. ruptime Shows status of local machines. rwho Shows who is logged in to a local machine. rwhod Invokes the system status server. A description of all the r-commands is provided in the subsequent sections. The rlogin Command The rlogin command connects the terminal on the local host to the remote host (rhost) and acts as a virtual terminal to the remote system.
Secure Environment Authentication In a Kerberos V5 network authentication environment, rlogin uses the Kerberos V5 protocol to authenticate the connection to a remote host. If the authentication is successful, user authorization is performed according to the rlogind command-line options (that is, -K, -R, -k, or -r). You do not require a password to log in to a remote host in a Kerberos authentication environment. The Kerberos protocol is responsible for authenticating the remote connection.
login stream tcp nowait root /usr/lbin/rlogind rlogind • In a secure environment, you must add the following entry to the /etc/inetd.conf configuration file: klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K To start rlogind in IPv6 mode, add the following entry to the configuration file/etc/inetd.
remsh host [-l username] [-n] command ... host [-l username] [-n] command rexec host [-l username] [-n] command In a Kerberos V5 network authentication environment, the syntax for remsh is as follows: remsh host [-l username] [-f -F] [-k realm] [-P] [-n] command ....
Kerberos-Specific Options You can set the default Kerberos options in the configuration file /etc/krb5.conf. You can set the -f and -F options with the tag names forward and forwardable, respectively, and set the fallback option within the appdefaults section in the /etc/krb5.conf file. If you set the fallback option to true and the Kerberos authentication fails, remsh uses the non-secure mode of authentication. The -f and -F options are mutually exclusive. For more information, type man 4 krb5.
You can set the default Kerberos options in the configuration file /etc/krb5.conf. You can set the -f and -F options with the tag names forward and forwardable, respectively, and set the fallback option within the appdefaults section in the /etc/krb5.conf file. If you set the fallback option to true and the Kerberos authentication fails, rcp uses the non-secure mode of authentication. The -f and -F options are mutually exclusive. For more information, type man 4 krb5.conf at the HP-UX prompt.
The rdist Command rdist allows you to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and modification time of files and updates executing programs.The syntax for rdist is as follows: rdist [ -bhinqvwyMR ] [ -f distfile ] [ -d var=value ] [ -m host ] The distfile in the rdist command contains a sequence of entries that specify the files to be copied, the destination hosts, and operations to perform while updating.
The rdist Command Options Table 1-4 describes the rdist options. Table 1-4 rdist Options Option Description -f distfile Specifies a distfile for rdist to execute. distfile contains a sequence of entries that specify the files to be copied, the destination hosts, and the operations to be performed for updating purposes. -d var=value Defines variable definitions in the distfile. value defines an empty string, a name, or a list of names separated by tabs or spaces and enclosed by a pair of parentheses.
The ruptime Command ruptime produces a status line for each machine on the local network that is running the rwho daemon. ruptime’s status lines are formed from packets broadcasted every 3 minutes between the rwho daemons on each host on the network.
Table 1-5 Sorting Order Options (continued) Option Description -u Sorts by the number of users. -r Reverses the sort order. For detailed information on ruptime, type man 1 ruptime at the HP-UX prompt. The rwho Command The rwho command displays who is logged in to the local system. rwho displays output similar to the HP-UX who command for all the machines on the local network running the rwho daemon.
rwhod performs the following functions as an information receiver: • • • Listens for other rwhod servers’ status messages. Validates the status messages. Records the status messages in files located in the /var/spool/rwho directory. By default, rwhod sends and receives information. You can configure rwhod to either send or receive information by using the -s and -r options, respectively. rwhod starts during system startup if the variable RWHO is set to 1 in the /etc/rc.config.d/netdaemons file.
Kerberos-Specific Options By default, the Kerberos version of telnet behaves as a client that supports authentication based on Kerberos. You can enable Kerberos authentication to telnet by using the -a or -l option. As a Kerberos client, telnet authenticates and authorizes a user to access the remote system. For more information on Kerberos authentication and authorization, type man 5 sis at the HP-UX prompt. However, telnet does not support integrity checks and encrypted sessions.
NOTE: telnetd supports the Error Management Technology (EMT) toolset that provides an online, searchable repository of error messages. When telnetd displays an error message, you can search the repository for the respective cause and also obtain the appropriate action for the error message. Starting telnetd To start telnetd from the inetd daemon, you must add the following entry in the /etc/inetd.
NOTE: To operate in an IPv6-enabled Kerberos mode, change tcp to tcp6 in the previous entries. By default, the telnet server provides remote execution facilities using the Kerberos V5 network authentication. Fore more information, type man 1M telnetd at the HP-UX prompt. FTP Overview The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system.
Normally, inetd invokes the ftp daemon, ftpd. However, you can also run ftpd in a standalone mode by using the ftpd options -s or -S. For more information, type man 1M ftpd at the HP-UX prompt. For detailed information on the ftp command, type man 1 ftp at the HP-UX prompt. See “Configuring FTP” (page 33) for information on configuring FTP.
2 Configuring FTP The File Transfer Protocol (FTP) is used for transferring files efficiently and reliably between hosts over the Internet. ftp is a user interface to FTP. ftp copies files over a network connection between the local client host and a remote server host. ftp runs on the client host, and ftpd runs on the remote server. FTP promotes file sharing, and implicit use of remote systems, and shields a user from variations in file storage systems.
NOTE: You can obtain the default ftp configuration files from the /usr/newconfig/etc/ftpd/examples directory. Enabling or Disabling the /etc/ftpd/ftpaccess File The following specifies how to enable or disable the /etc/ftpd/ftpaccess file: • To enable the /etc/ftpd/ftpaccess file, specify the -a option for the ftp entry in the /etc/inetd.conf file.
The /etc/ftpd/ftpconversions file allows you to configure the FTP server so that when a user specifies a file name (using a get command), the compression and tar operations occur automatically. Table 2-1 shows compression and tar operations. Table 2-1 Compression and Tar Operations True File Name Specified File Name Action .Z Uncompresses file before transmitting. .Z Compresses before transmitting. .
/usr/newconfig/etc/ftpd/examples directory. You can edit this file and copy it to the /etc/ftpd directory. The administrative utility, /usr/bin/privatepw, is used to update the group access file information in /etc/ftpd/ftpgroups. The administrator can add, delete, and list enhanced access group information required for the commands SITE GROUP and SITE GPASS. The /usr/bin/privatepw command requires read and write permission for the appropriate ftpgroups file to modify the access group information.
The password field must be *, the group membership must be guest, and the login shell must be /usr/bin/false. In this example, the user ftp’s user ID is 500, and the anonymous ftp directory is /home/ftp . For more information on the passwd file, type man 4 passwd at the HP-UX prompt. Creating an Anonymous FTP Directory The anonymous FTP directory consists of four subdirectories: usr, etc, pub, and dist, created under the /home/ftp directory.
NOTE: If you want ftpd to use the /usr/bin/ls command, instead of the /sbin/ls command, to support directory listing, copy the relevant libraries specified as follows: • For Integrity systems, create the hpux32 directory under the /home/ftp/usr/lib directory, which must be owned by the root. Ensure that you change the permissions for the /home/ftp/usr/lib/hpux32 directory to 0555 (the directory cannot be written or edited).
6. Copy the files /etc/passwd and /etc/group to the /home/ftp/etc directory. The ls command requires these commands to display the owners of the files and directories under the /home/ftp directory. # cp /etc/passwd /home/ftp/etc # cp /etc/group /home/ftp/etc 7. Replace the password field in all entries in the /home/ftp/etc/passwd file with *, and delete the shell field from the end of each entry, as shown in the following example: #ftp:*:500:guest:anonymous ftp:/home/ftp: #acb:*:8996:20::/home/acb: 8.
11. Create the pub directory under /home/ftp. Set the owner of the /home/ftp/pub directory to user ftp and its permissions to 0777 (read, write, and execute permissions), as shown in the following example: # mkdir /home/ftp/pub # chown ftp /home/ftp/pub # chmod 0777 /home/ftp/pub Anonymous ftp users can put files in this directory to make them available to other anonymous ftp users. 12. Create a directory called dist under /home/ftp.
Figure 2-1 Directory Structure for Anonymous FTP Account / usr home etc bin ftp passwd . file .. ftp usr etc pub dist bin passwd ls group .. . .. . Configuring the Authentication Service in FTP FTP provides support for the Pluggable Authentication Module (PAM). PAM is an Open Group standard (RFC 86.0) for user authentication, password modification, session management, and validation of accounts.
ftp auth required ftp account required /usr/lib/security/libpam_dce.1 /usr/lib/security/libpam_dce.1 For more information, see the manual Managing Systems and Workgroups: A Guide for HP-UX System Administrators, available at http://docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html and the manpages pam (3) and pam.conf (4). Configuring Logging for FTP You can log both the FTP session information and the file transfer information, as explained in the following sections.
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a -l -d -i -o Logging FTP Sessions You can log the FTP session information to the /var/adm/syslog file. You can specify FTP session logging by using the log commands keyword in the /etc/ftpd/ftpaccess file. The log commands keyword enables or disables logging of an FTP session to the /var/adm/syslog file, including commands such as logins, login failures, and anonymous ftp activity.
A default limit is specified to all the classes for which you have not specified a limit. When the FTP session logs off, this directive prints the number of files and the number of bytes transferred. • You can limit the number of data files a user in the given class can transfer in a session. You can specify a directive in the /etc/ftpd/ftpaccess file to limit the number of incoming files, outgoing files, or both.
1. Edit the /etc/ftpaccess file to include a path for the shutdown message file in the entry shutdown . (You can also create the shutdown message file with the ftpshut command in a later step.) NOTE: If you do not specify the shutdown entry in the /etc/ftpd/ftpaccess file and try to execute the ftpshut command, then the following error message is displayed: No shutdown file defined in the ftpaccess file 2.
• • • • • • • • • • • • • • • • • • “Enhanced DNS Extensions” (page 48) “Reported Address Control” (page 48) “PORT and PASV Data Connection” (page 49) “The keepalive Clause” (page 49) “Clauses to Control Access to Areas on the FTP Site” (page 50) “File Retrieval” (page 50) “Virtual Server” (page 50) “Default Host Name” (page 51) “Control Information” (page 52) “Session Time Limit” (page 52) “Treatment of UIDs and GIDs as Guests” (page 52) “FTP Server Access to UID and GID Values” (page 53) “Upload and Down
defaultserver incmail • deny-email If you specify virtual host addresses, addresses only on a particular host receive notification messages of anonymous uploads. Otherwise, notifications are sent to the global addresses. The defaultserver addresses apply only to real hosts and not to virtual hosts. Hence, the real host receives notifications of uploads on its default anonymous area. However, with this option set, the virtual hosts are not notified.
Table 2-2 FTP Daemon timeout Options (continued) Option Description idle The time period the daemon waits for the next command. The default value is 900 seconds. RFC931 The maximum time period for which the daemon allows for the entire RFC 931 (AUTH/ident) conversation. The default value is 10 seconds. maxidle The SITE IDLE command allows the remote client to establish a higher value for the idle timeout.
connection. When a control connection matching the cidr (classless inter-domain routing) requests a passive data connection (PASV), the externalip address is reported. The syntax for controlling the reported address is as follows: passive address passive ports Example 2-1 The passive Clause The following are some examples for the passive clause: passive address 10.0.1.15 10.0.0.
The syntax for keepalive clause is as follows: keepalive yes no Clauses to Control Access to Areas on the FTP Site You can specify clauses to control whether a real or guest user is allowed access to areas on the FTP site other than their home directories. The syntax for the clauses that control access to areas on the FTP site is as follows: restricted-uid [...] restricted-gid [...] unrestricted-uid [...] unrestricted-gid [...
virtual
allow [ username ...] virtual deny [ username ...] virtual private virtual hostname email string defaultserver deny [ username ...] defaultserver allow [ username ...] defaultserver private Table 2-3 specifies different virtual clause examples. Table 2-3 virtual Clause Options virtual Clause Option Description virtual xx.xx.xx.xx allow root Allows the root user to start the FTP session on the machine xx.xx.xx.xx.Example 2-3 The hostname Clause An example for the hostname clause is as follows: hostname telnet2.123.com Displays the default host name (telnet2.123.com) instead of the actual host name in the greeting message. Control Information This feature allows you to control the information specified in the greeting message before a remote user logs in. For the greeting message, you can specify the host name and daemon version, only the host name, or only the message FTP server ready.
guestuser [ username ... ] realgroup [ groupname ... ] realuser [ username ... ] FTP Server Access to UID and GID Values This feature allows you to specify UID and GID values for which the FTP server access is denied or allowed. By default, allow access is set. The syntax for denying or allowing FTP server access to UID and GID values is as follows: deny-uid [...] deny-gid [...] allow-uid [...] allow-gid [...
Example 2-6 The ul-dl-rate Clause An example for the ul-dl-rate clause is as follows: ul-dl-rate 2 For every 1 byte of data that is uploaded, the ftp server allows 2 bytes of data to be downloaded. The nice Clause The nice clause allows you to modify the nice value of the ftpd server if the remote user is a member of the named class. If you do not specify the class, then use nice-delta as the default adjustment to the ftpd server process’ nice value.
Example 2-7 The defumask Clause The following are some examples for the defumask clause: defumask 0177 defumask 0133 ClassA This creates files with the permission -rw-r--r-- for a user of ClassA. For other users, files are created with the permission -rw-------. Limitations on the Number of Lines of Output This feature allows you to limit the number of lines of output that can be sent to the remote client. By default, the limit is set to 20.
Example 2-9 The anonymous-root Clause The following are examples for the anonymous-root clause: anonymous-root /home/ftp anonymous-root /home/localftp localnet Example 2-9 contains two examples for the anonymous-root clause. The first example changes the root directory of all the anonymous users to the directory /home/ftp, the anonymous user’s current working directory being the home directory.
IPv6 Support To support IPv6 functionality, you must modify the /etc/inetd.conf file as follows: ftp stream tcp6 nowait root /usr/bin/ftpd ftpd -l However, if you specify tcp instead of tcp6, FTP operates in the IPv4 mode.
• Implementation of RFC 1639 (FTP Operation Over Big Address Records (FOOBAR)) This RFC describes a convention for specifying an address other than the default data port for the connection over which data is transferred. The commands to accommodate FTP operations over network and transport protocols are specified as follows: — LPRT This command allows you to specify a long address for the transport connection.
system. identd is a server that implements the TCP/IP proposed standard IDENT user identification protocol as specified in RFC 1413. identd operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection. identd is invoked either by the Internet server, inetd, for requests to connect to the IDENT port as indicated in the /etc/services file or started manually using the -b mode of operation.
Figure 2-2 Structure of an FTP Server Hosting Two Virtual Domains ftp.animals.com (Virtual Domain 1) ftp.domain.com (FTP Server) ftp.flowers.com (Virtual Domain 2) In Figure 2-2, a user connected to the FTP server ftp.domain.com through the domain ftp.animals.com receives a different banner and directory than a user who is connected to the same server through the domain ftp.flowers.com.
NOTE: A sample configuration file exists in the /usr/newconfig/etc/ftpd/examples directory. Example 2-15 /etc/ftpd/ftpserver Configuration File Entry The following example shows a possible entry in the /etc/ftpd/ftpservers configuration file: 123.123.123.123 /etc/ftpd/somedomain In this example, when an FTP client connects to the server using the IP address 123.123.123.
The “virtual address allow username” and “virtual address deny username” directives These directives are is used to allow or deny real and guest users. They can be used in the /etc/ftpd/ftpaccess file as well as the virtual domain specific ftpaccess file. virtual address allow username [ username ... ] virtual address deny username [ username ... ] The “virtual address private” directive This directive is used to deny anonymous FTP login.
NOTE: The virtual address logfile path directive does not require the virtual address root directive. This directive overrides the logfile path directive. If the /etc/ftpd/ftpaccess file has the logfile path directive but does not have the virtual address logfile path directive, then the logfile path directive does not affect the behavior of the ftpd( 1M) daemon. The “virtual address hostname string” directive This directive is used to change the default hostname of the FTP server.
NOTE: The virtual address incmail emailaddress directive does not require the virtual address root path directive. This directive overrides the incmail emailaddress directive. If the master /etc/ftpd/ftpaccess configuration file has the incmail emailaddress directive but does not have the virtual address incmail emailaddress directive, then the incmail emailaddress directive does not affect the behavior of the ftpd( 1M) daemon.
The “virtual address allow username” and “virtual address deny username” directives These directives are used to allow or deny real and guest users to log in a virtual FTP setup. These directives can also be used in the master /etc/ftpd/ftpaccess file. The “virtual address private” directive This directive is used to deny anonymous access to virtual FTP setup. This directive can also be used in the master /etc/ftpd/ftpaccess file.
NOTE: Do not use the virtual address email emailaddress directive in the virtual domain's ftpaccess file as it will not have any effect. The “incmail emailaddress” directive This directive is used to change the email address for anonymous upload notifications. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: Do not use the virtual address incmail emailaddress directive in the virtual domain's ftpaccess file as it will not have any effect.
In this example, the root directory of the anonymous user is changed to the /virtual directory. You must ensure that the files referenced after changing the root directory exist in the virtual server (similar to the scenario for setting up an anonymous account).
Index A anonymous ftp, 36 directory structure, 40 in SAM, 36 anonymous ftp access setting up, 36 appdefaults section, 29, 31 C character at a time mode, 28 ckconfig command, 44 command mode, 28 compression operation, 35 configuration anonymous ftp, 36 E /etc/hosts/equiv file, 18 /usr/bin/privatepw administrative utility, 36 appdefault section, 29 compression operation, 35 enabling or disabling, 35 disabling, 34 enabling, 34 fallback option, 31 log commands keyword, 43 operations, 34 sample file, 35 servic
function as information receiver, 28 as information sender, 27 P PAM, 41 PASV data connection syntax, 49 Pluggable Authentication Module (see PAM) PORT data connection syntax, 49 R .