WU-FTPD 2.6.
Legal Notices © Copyright 2001, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 WU-FTPD 2.6.1 Release Notes.....................................................................4 Announcement.........................................................................................................................4 What is in this version...............................................................................................................4 WU-FTPD 2.6.1 features............................................................................................................
1 WU-FTPD 2.6.1 Release Notes This document discusses the most recent product information pertaining to WU-FTPD 2.6.1. It also discusses how to install WU-FTPD 2.6.1 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • “Announcement” (page 4) • “What is in this version” (page 4) • “WU-FTPD 2.6.
WU-FTPD 2.6.1 features Following are the WU-FTPD 2.6.1 features supported on the HP-UX 11i v1, HP-UX 11i v2 , and HP-UX 11i v3 operating systems: NOTE: Except for the TLS/SSL feature, all the features discussed in this section are available in WU-FTPD 2.6.1 on the HP-UX 11i v1 operating system. Support for TLS/SSL The Transport Layer Security/Secure Socket Layer (TLS/SSL) feature enables the HP-UX FTP product to use the security features provided by OpenSSL.
the server and, if required, the client, and to provide session-level encryption and confidentiality for the entire session. • Hash algorithms. These algorithms are a set of one-way functions that accept a variable length input, and, after mathematical processing, produce a fixed length output. The transformations of the data produce a fingerprint of the input. The minor changes to the input appear as large changes in the output. Popular hash algorithms include SHA-1, MD5, and RIPEMD.
• Organizational unit (OU), such as a department within an organization • City or location (L) where an organization is located • State or province (SP) where the city is located • Country (C) in the International Organization for Standardization (ISO) format (such as U.S.) The DN is a combination of the different certificate information.
print "Certificate is in newcert.pem, private key is in newkey.pem\n" } elsif (/^-newreq$/) { system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 2 $RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newreq-nodes$/) 1 Replace this line with the following: system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 2 Replace this line with the following: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.
After you answer the questions prompted by the ./CA.pl –newca command, the following files are created: • The ./demoCA/cacert.pem file. This is the CA certificate file you can exchange with communication partners for TLS authentication or verification. • The ./demoCA/private/cakey.pem file. This is the private key file of the CA and is passphrase-protected. You can use this private key to sign or revoke certificates. NOTE: b. Do not exchange the private key file with communication partners.
1. Create DSA parameters: openssl dsaparam -out dsap.pem 1024 2. Create a DSA CA certificate and private key: openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem 3. Create the CA directories and files: /opt/openssl/misc/CA.pl -newca Enter cacert.pem when prompted for the CA file name. 4. Create a DSA certificate request and private key (a different set of parameters can optionally be created first): openssl req -out newreq.pem -newkey dsa:dsap.pem 5. Sign the request: CA.
ftp-ssl-ncf FTP TLS enhancement software is installed in the system. Run the following command to ensure that the software is installed: # swlist -l product | grep ftp-ssl-ncf The following output is displayed if the software is installed in the system: ftp-ssl-ncf B.11.23.01.002 ftp-ssl-ncf web release For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product.
ftp-ssl-ncf FTP TLS enhancement software is installed in the system. Run the following command to ensure that the software is installed: # swlist -l product | grep ftp-ssl-ncf The following output is displayed if the software is installed in the system: ftp-ssl-ncf B.11.23.01.002 ftp-ssl-ncf web release For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product.
FTP_SSL_CA_FILE Specifies the CA certificate. FTP_SSL_CA_PATH Specifies the pathname for CA certificate. FTP_SSL_CRL_FILE Specifies the CRL file location for the FTP client. FTP_SSL_CRL_PATH Specifies the CRL file pathname. FTP_TLS_PASSWD Specifies the password to decrypt the PEM key file(s). NOTE: For information on the default values, see the ftp(1) manpage.
a. b. c. 2. 3. X.509 RSA Certificate Authority (CA). X.509 RSA server certificate signed by the CA certificate (certificate file). X.509 RSA private key associated with the RSA server certificate (key file). Copy the CA file, certificate file, and key file to the /etc/ftpd/security directory in the server, for example, /etc/ftpd/security/ca.pem, /etc/ftpd/security/ ftpd-rsa-cert.pem, and /etc/ftpd/security/ftpd-rsa-key.pem, respectively.
export FTP_SSL_CERT_FILE=/home/user1/certificate.pem export FTP_SSL_KEYT_FILE=/home/user1/private-key.pem • Using Command-Line Options To start the FTP client using command-line options, run the following command: ftp -z CAfile=/etc/ftpd/security/ca.pem -z cert=/home/user1/certificate.pem -z key=/home/user1/private-key.pem • Using the Configuration File To start the FTP client using a configuration file, run the following command: ftp -z config= 5.
Figure 1 Structure of an FTP Server Hosting Two Virtual Domains ftp.animals.com (Virtual Domain 1) ftp.domain.com (FTP Server) ftp.flowers.com (Virtual Domain 2) In Figure 1, a user connected to the FTP server ftp.domain.com through the domain ftp.animals.com receives a different banner and directory than a user who is connected to the same server through the domain ftp.flowers.com.
• virtual address private • virtual address { root|banner|logfile } path • virtual address { hostname|email } string • virtual address incmail emailaddress • virtual address mailfrom emailaddress Usage This section describes the functionality of the various directives. The virtual address allow username and virtual address deny username directives These directives are used to allow or deny real and guest users.
The virtual address hostname string directive This directive is used to change the default hostname of the FTP server. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: The virtual address hostname string directive does not require the virtual address root directive. This directive overrides the hostname string directive.
• virtual address private • root path • banner path • logfile path • hostname string • email string • incmail emailaddress • mailfrom emailaddress Usage This section describes the functionality of the various directives. The virtual address allow username and virtual address deny username directives These directives are used to allow or deny real and guest users to log in a virtual FTP setup. These directives can also be used in the master /etc/ftpd/ftpaccess file.
The incmail emailaddress directive This directive is used to change the email address for anonymous upload notifications. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: Do not use the virtual address incmail emailaddress directive in the virtual domain's ftpaccess file because it does not have any effect. The mailfrom emailaddress directive This directive is used to change the sender's email address for anonymous upload notifications. This directive is used in the /etc/ftpd/ftpaccess file.
notification or if downstream mail problems generate bounces, ensure that the mailfrom address is a valid address, to avoid delivery problems.
Table 1 FTP Daemon timeout Options (continued) Option Description RFC931 The maximum time period the daemon allows for entire RFC 931 (Authentication Server) conversation. The default value is 10 seconds. maxidle The SITE IDLE command allows the remote client to establish a higher value for the idle timeout. With the maxidle option set in the /etc/ftpd/ftpaccess file, you can override the value set with the SITE IDLE command. The default value is 1200 seconds.
Example 2 The passive Clause The following is an example of a passive clause: passive address 10.0.1.15 10.0.0.0/8 In this example, clients connecting from the class A network - 10 are informed that the passive connection is listening on the IP address 10.0.1.15. passive ports 10.0.0.0/8 90 100 In this example, if a control connection from the class A network - 10 exits, the port range within 90 and 100 is randomly selected for the daemon to listen.
• Virtual Server You can use the virtual server clauses to restrict user access to both the virtual and non-virtual domains. Additionally, you can use the options specified in the virtual clause to display the virtual host name. The syntax for the virtual clause is as follows: virtual
allow [ username ...] virtual deny [ username ...] virtual private virtual hostname email string defaultserver deny [ username ...The syntax for the greeting clause is as follows: greeting full brief terse greeting text Using the greeting text clause, you can print a message different from the standard greeting message. Example 4 The greeting Clause An example for the greeting clause is as follows: greeting text Hi!!! Welcome to FTP Server This clause displays the message Hi!!! Welcome to FTP server as the greeting message. • Session Time Limit This feature allows you to limit the total time for a session.
NOTE: You can specify only negative values for nice-delta. Positive values or 0 are ignored. • The defumask Clause The defumask clause allows you to set umask for a file created by the FTP daemon if the remote user is a member of the named class. You can enter multiple defumask entries in the /etc/ftpd/ftpaccess file. If you do not specify a class for a defumask entry, use umask as the default for classes that do not have a defumask entry.
Example 8 The anonymous-root Clause The following are examples of the anonymous-root clause: anonymous-root /home/ftp anonymous-root /home/localftp localnet The first example changes the root directory of all the anonymous users to the directory /home/ftp, the anonymous user’s current working directory being the home directory. If an FTP user exists in the /home/ftp/etc/passwd file, the user’s current working directory is the home directory.
A default limit is specified to all the classes for which you have not specified a limit. When the FTP session logs off, this directive prints the number of files and the number of bytes transferred. • You can limit the number of data files that a user, in the given class, can transfer in a session. You can specify a directive in the /etc/ftpd/ftpaccess file to limit the number of incoming files, outgoing files, or both.
However, if you specify tcp instead of tcp6, FTP operates in the IPv4 mode. Following are the features that support IPv6: • Implementation of RFC 2428 (FTP Extensions for IPv6 and NATs) This RFC specifies a method by which FTP clients and server exchange data connection information, such as port, host address, and type of protocol family, for both IPv4 and IPv6 addresses. FTP uses EPRT and EPSV instead of PORT and PASV, respectively, for IPv6 connections.
Example 13 LPASV Command Output The following displays the output for the LPASV command: ftp> passive Passive mode on. -------> LPSV 228 Entering Long Passive Mode (6,16,254,128,0,0,0,0,0,0, 2,96,176,255,254,193,123,47,2,134,7) NOTE: The FTP client must use the -l option to use the LPSV and LPRT commands. The FTP session command longaddr toggles the use of the LPRT (extended port) and LPSV (extended passive) commands. For more information on the -l option, type man 1 ftp at the HP-UX prompt.
Compatibility and installation information This section describes the compatibility and installation requirements. Compatibility information Customers currently using WU-FTPD 2.4 do not need to modify their configuration file. WU-FTPD 2.4 is compatible with this release of WU-FTPD. However, HP recommends you to use the WU-FTPD 2.6.1 configuration file delivered with this release to effectively use the new features and changes incorporated in WU-FTPD 2.6.1.
This command reverts the system to the base version of FTPD (WU-FTPD 2.4) that is delivered with the core HP-UX 11i v1 operating system. If you wish to upgrade your operating system and if the Web upgrade version of WU-FTPD is enabled on the existing operating system, you must revert to the previous version of WU-FTPD using the enable_inet -r wuftpd command before upgrading the operating system.
Table 4 WU-FTPD 2.6.1 Manpages (continued) Manpage Description ftpaccess(4) File used to configure the operation of ftpd(1M) ftpgroups(4) Group password file for use with the SITE GROUP and SITE GPASS commands ftpservers(4) File that contains the set of virtual domain configuration files, which the ftpd(1M) server must use ftpconversions(4) ftpd(1M) conversion database.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae53898/ Enhancement request to log the client IP address along with other information in the /var/adm/wtmp file for successful login and to log unsuccessful login attempts to the /var/adm/btmp file. QXCR1000519011 JAGae69021/ QXCR1000522851 ftp(1) generates an incorrect transfer report while storing files of size more than 2 GB. JAGae58493/ get command of ftp(1) does not function properly.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description mounted system, which is full, ftp(1) get or mget command fails without displaying any error message. As a result, unreported data loss may occur. JAGaf32059/ QXCR1000538330 JAGae79698/ QXCR1000525558 The restart command in ftp(1M) does not work properly when the restart marker is set to a value greater than or equal to 2 GB.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.011) JAGag46940/ QXCR1000591157 In an IPv6 environment, ftpd(1M) does not function properly for certain directives in the ftpaccess(4) file. JAGaf91258/ Certain inputs to ftpd(1M) can cause huge delay in the response.
Defects fixed in the HP-UX 11i v2 operating system Table 6 describes the defects fixed in the HP-UX 11i v2 operating system. Table 6 Defects Fixed in the HP-UX 11i v2 Operating System Identifier Description Defects fixed in WU-FTPD 2.6.1 (B.11.23.01.002) QXCR1001173382 When FTP is used with the openssl version 0.9.8r, it fails to use the SSL subsystem.
Table 7 Defects Fixed in the HP-UX 11i v3 Operating System (continued) 38 Identifier Description QXCR1001209946 When "mget *" is issued in the ftp session, it tries to retrieve all the files as well as the directories and cause transfer failures. QXCR1001213243 When a self-signed certificate is present in a certificate chain, FTP allows connection to establish, even though authmode is set to client_must. WU-FTPD 2.6.