WU-FTPD 2.6.
Legal Notices © Copyright 2001-2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 WU-FTPD 2.6.1 Release Notes.....................................................................................................9 Announcement...................................................................................................................10 What Is In This Version.......................................................................................................10 WU-FTPD 2.6.1 Features................................................................................
Defects Fixed in the HP-UX 11i v1 Operating System..................................................49 Defects Fixed in the HP-UX 11i v3 Operating System..................................................
List of Figures 1-1 Structure of an FTP Server Hosting Two Virtual Domains.........................................
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 6 FTP Daemon timeout Options....................................................................................33 The virtual Clause Options.....................................................................................36 New Options in WU-FTPD 2.6.1.................................................................................41 WU-FTPD 2.6.1 Manpages..........................................................................................
List of Examples 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 1-11 1-12 1-13 The /etc/ftpd/ftpserver Configuration File Entry........................................................26 The passive Clause...................................................................................................34 The hostname Clause................................................................................................36 The greeting Clause..........................................................................
1 WU-FTPD 2.6.1 Release Notes This document discusses the most recent product information pertaining to WU-FTPD 2.6.1. It also discusses how to install WU-FTPD 2.6.1 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • • • • • • • • “Announcement” (page 10) “What Is In This Version” (page 10) “WU-FTPD 2.6.
Announcement The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system. On the client system, a file transfer program provides a user interface to FTP; on the server, the requests are handled by the FTP daemon, ftpd. WU-FTPD 2.6.1 is an HP implementation of the FTP daemon based on the replacement FTP daemon, developed at Washington University. WU-FTPD 2.6.1 is the latest version of WU-FTPD 2.6.
NOTE: Except for the TLS/SSL feature, all the features discussed in this section are available in WU-FTPD 2.6.1 on the HP-UX 11i v1 operating system. Support for TLS/SSL The Transport Layer Security/Secure Socket Layer (TLS/SSL) feature enables the HP-UX FTP product to use the security features provided by OpenSSL. When this feature is enabled, HP-UX FTP provides a secured FTP session and a secure file transfer. This section discusses the various components used by TLS/SSL to provide security services.
• produce the ciphertext output that must be decrypted by the recipient. Commonly used private key algorithms include DES, Blowfish, AES, and IDEA. Public key algorithms. These algorithms use two mathematically related keys to separate the process of encryption and decryption. By using functions that are easy to perform in one direction but difficult to perform in the opposite direction, the two keys provide a high level of security if large numbers are used.
Certificates and Authorities A certificate is a collection of information that uniquely identifies a client or a server. It includes descriptive fields, such as the name of an organization and its location, and cryptographic information, such as keys and signatures. The private key of an asymmetrical key pair can be used to sign the content that, when decrypted using the public key, establishes the signature. This signature can be used to offer proof of identity.
mail relaying, or entry into a network. You can either use the commercial TLS/SSL certificates (certs) to verify the identity of the WU-FTPD 2.6.1 server, or create your own certificates for the WU-FTPD 2.6.1 servers. Generating Certificates and Keys Using OpenSSL 0.9.7m The FTP client in an HP-UX operating system (HP-UX FTP) is compatible only with standard X.509 certificates in PEM format.
print "Certificate is in newcert.pem, private key is in newkey.pem\n" } elsif (/^-newreq$/) { system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 2 $RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newreq-nodes$/) 1 Replace this line with the following: system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 2 Replace this line with the following: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.
Verifying - Enter PEM pass phrase: Enter the passphrase again. The following message is displayed: You are about to be asked to enter information that will be incorporated into your certificate request. Enter the organization name, location, and your name. After you answer the questions prompted by the ./CA.pl –newca command, the following files are created: • The ./demoCA/cacert.pem file. This is the CA certificate file you can exchange with communication partners for TLS authentication or verification.
5. 6. 7. Create a subdirectory security under the /etc/ftpd directory: mkdir –p /etc/ftpd/security Change the directory location to security: cd /etc/ftpd/security Copy the previously created CA certificate, the FTP server certificate, and the key from the /opt/openssl/misc/ directory to the /etc/ftpd/security directory: cp /opt/openssl/misc/demoCA/cacert.pem /etc/ftpd/security/ftpd-rsa-ca.pem cp /opt/openssl/misc/newkey.pem /etc/ftpd/security/ftpd-rsa-key.pem cp /opt/openssl/misc/newcert.
NOTE: By default, the CA.pl script requests for a password to protect the private keys. If you are protecting the password with a PEM passphrase, enable the ftpd -z password=value option and set the appropriate password.
For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product. So no additional software is required to be installed on the system. 3. 4. Configure OpenSSL and generate X.509 certificates and keys before starting the FTP server. Enable TLS configuration for the FTP server using either of the following methods: • Using -z command-line option in ftpd(1M). • Using the TLS configuration file.
1. 2. Ensure that the OpenSSL software in installed in the system. For the HP-UX 11i v2 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP product bundle and the SSL libraries as two independent products. So, ensure that the ftp-ssl-ncf FTP TLS enhancement software is installed in the system.
FTP_SSL_DEBUG_MODE Specifies if the SSL features must be invoked in debug mode. If the debug mode is set to 2, extended logging is performed. FTP_SSL_NOFALLBACK Specifies if SSL fallback needs to be enabled. By default, fallback is enabled. FTP_SSL_PROT Specifies whether the data channel encryption is enabled. By default, it is enabled. FTP_SSL_RANDFILE Specifies the file used for seeding random number generator. FTP_SSL_LOGFILE Specifies the logfile for the debug mode.
FTP_SSL_RANDFILE=/dev/urandom FTP_SSL_LOGFILE=/tmp/ssl.log FTP_SSL_CONFIG_FILE=flist.txt FTP_SSL_CERT_FILE=/home/SSL/CERTS/client-cert.pem FTP_SSL_DSACERT_FILE=/home/SSL/CERTS/dsaclient-cert.pem FTP_SSL_KEYT_FILE=/home/SSL/CERTS/server-key.pem FTP_SSL_DSAKEY_FILE=/home/SSL/CERTS/dsaclient-key FTP_SSL_CA_FILE=/home/SSL/CERTS/ca-cert.
key=/etc/ftpd/security/ftpd-rsa-key.pem -z CAfile=/etc/ftpd/security/ftpd-rsa-ca.pem • Using the Configuration File Specify the TLS configuration file in the FTP service entry in the /etc/ inetd.conf file. Following is the FTP service entry in the /etc/inetd.conf file: ftp stream tcp6 nowait root /usr/lbin/ftpd ftpd -l -L -a -z usetls -z config=/etc/ftpd/security/tls.conf Following are the contents of the /etc/ftpd/security/tls.
export FTP_SSL_CERT_FILE=/home/user1/certificate.pem export FTP_SSL_KEYT_FILE=/home/user1/private-key.pem • Using Command-Line Options To start the FTP client using command-line options, run the following command: ftp -z CAfile=/etc/ftpd/security/ca.pem -z cert=/home/user1/certificate.pem -z key=/home/user1/private-key.pem • Using the Configuration File To start the FTP client using a configuration file, run the following command: ftp -z config= where: 5.
Virtual FTP Support Virtual FTP support enables you to manage an FTP server for multiple domains on the same machine. Virtual FTP allows an administrator to configure a system to display a different banner, log file, and directory to a user when the user is connected to different domains on the same system. The advantage of virtual FTP support is that the identity of the machine is hidden. Additionally, this feature enables a single machine to act as multiple FTP servers for multiple domains.
NOTE: A sample configuration file exists in the /usr/newconfig/etc/ftpd/examples directory. Example 1-1 The /etc/ftpd/ftpserver Configuration File Entry The following example shows a possible entry in the /etc/ftpd/ftpservers configuration file: 123.123.123.123 /etc/ftpd/somedomain In this example, when an FTP client connects to the server using the IP address 123.123.123.
virtual address allow username [ username ... ] virtual address deny username [ username ... ] The virtual address private directive This directive is used to deny anonymous FTP login. By default, anonymous users are allowed to log in a virtual FTP setup. virtual address private The virtual address root path and virtual address banner path directives These directives are used to display the banner message and are used in the /etc/ ftpd/ftpacess file.
NOTE: The virtual address hostname string directive does not require the virtual address root directive. This directive overrides the hostname string directive. If the /etc/ftpd/ftpaccess file has the hostname string directive but does not have the virtual address hostname string directive, then the hostname string directive does not affect the behavior of the ftpd(IM) daemon.
NOTE: The virtual address mailfrom emailaddress directive does not require the virtual address root path directive. This directive overrides the mailfrom emailaddress directive. If the master /etc/ftpd/ftpaccess configuration file has the mailfrom emailaddress directive but does not have the virtual address mailfrom emailaddress directive, the mailfrom emailaddress directive does not affect the behavior of the ftpd(1M) daemon.
NOTE: Do not use the virtual address banner path directive in the ftpaccess file of the virtual domain because the directive does not have any effect. The logfile path directive This directive is used to change the path of the xferlog(4) file. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: Do not use the virtual address logfile path directive in the ftpaccess file of the virtual domain because the directive does not have any effect. The hostname some.host.
1. Set up an IP alias for the FTP server machine using the ifconfig command. For example: ifconfig lan0:1 15.70.178.100 netmask 0xffffff00 up The IP address 15.70.178.100 is set as an alias to the interface lan0. Now you can access the FTP server machine with lan0 as the interface, with the IP address 15.70.178.100. 2. Declare the following directives in the /etc/ftpd/ftpaccess file: virtual 15.70.178.100 root/virtual virtual 15.70.178.100 banner / virtual/banner.msg virtual 15.70.178.
The syntax for the email-on load feature is as follows: — mailserver — incmail virtual incmail defaultserver incmail — mailfrom virtual mailfrom defaultserver incmail — deny-email If you specify virtual host addresses, the addresses only on a particular host receive notification messages of anonymous uploads.
Table 1-1 FTP Daemon timeout Options Option Description accept The time period for which the daemon waits for an incoming (PASV-passive) data connection. The default value is 120 seconds. connect The time period the daemon waits before attempting to establish an outgoing (PORT-port) data connection. The default value is 120 seconds. The connect option affects the actual connection attempt. The daemon makes several attempts at regular intervals, sleeping between each attempt, before disconnecting.
• Enhanced DNS Extensions You can use this feature to refuse (or override) an FTP session when a reverse DNS lookup fails. The syntax for the enhanced DNS extension feature is as follows: dns refuse_mismatch [ override ] dns refuse_no_reverse [ override ] dns resolveroptions • Reported Address Control This feature enables you to impose control on the address reported in response to a PASVcommand and on the TCP port numbers that can be used for a passive data connection.
NOTE: You cannot selectively allow PORT and PASV data connections in an IPv6 environment. • The keepalive Clause The keepalive clause allows you to control network disconnect by setting the TCP SO_ALIVE option for data sockets. You can specify yes to set the TCP option, or no to use the system default settings, which is usually off. HP recommends that you set the keepalive clause to yes to retain the network traffic connected.
defaultserver deny [ username ...] defaultserver allow [ username ...] defaultserver private Table 1-2 specifies different virtual clause examples. Table 1-2 The virtual Clause Options The virtual Clause Option Description virtual xx.xx.xx.xx allow root Allows the root user to start an FTP session on the system xx.xx.xx.xx.
• Control Information This feature allows you to control the information specified in the greeting message before a remote user logs in. For the greeting message, you can specify the host name and the daemon version, only the host name, or only the message FTP server ready. The default greeting clause is greeting full.
Example 1-5 The ul-dl-rate Clause An example for the ul-dl-rate clause is as follows: ul-dl-rate 2 For every 1 byte of data that is uploaded, the ftp server allows 2 bytes of data to be downloaded. • The nice Clause The nice clause allows you to modify the nice value of the FTP server if the remote user is a member of the named class. If you do not specify the class, use nice-delta as the default adjustment to the nice value of the FTP server process.
The syntax for controlling the maximum number of lines of output is as follows: site-exec-max-lines [ class ...] Example 1-7 The site-exec-max-lines Clause The following are some examples for the site-exec-max-lines clause: site-exec-max-lines 200 remote site-exec-max-lines 0 local site-exec-max-lines 25 Example 1-7 contains three example statements for the site-exec-max-lines clause. The first example limits the output from SITE EXEC (therefore SITE INDEX) to 200 lines for remote users.
Example 1-8 The anonymous-root Clause The following are examples of the anonymous-root clause: anonymous-root /home/ftp anonymous-root /home/localftp localnet The first example changes the root directory of all the anonymous users to the directory /home/ftp, the anonymous user’s current working directory being the home directory. If an FTP user exists in the /home/ftp/etc/passwd file, the user’s current working directory is the home directory.
New Feature Related to Data Transfer The following lists the data transfer features: • For statistical purposes, you can track the total bytes of data transferred. Also, you can limit the number of data bytes that a user, in any given class, can transfer. You can specify a directive in the /etc/ftpd/ftpaccess file to limit the number of bytes incoming, outgoing, or both.
Table 1-3 New Options in WU-FTPD 2.6.1 (continued) Option Description -X This option does not save the output created by the -i and -o options to the /var/ adm/syslog/xferlog file but writes to the /var/adm/syslog/syslog.log file. -I This option enables the use of Identification Protocol (RFC1413) to attempt to determine the username on the client. -s and -S These options run the daemon in standalone operation mode.
Example 1-10 ERPT Command Output for IPv6 and IPv6 Connections The following displays the output for the EPRT command for both IPv6 and IPv6 connections. For IPv4: ------> EPRT 1 132.235.1.2 50934 For IPv6: ------> EPRT 2 fe80::260:b0ff:fec1:7b2f 50934 — EPSV - Extended Passive This command requests a server to listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.
Example 1-13 LPASV Command Output The following displays the output for the LPASV command: ftp> passive Passive mode on. -------> LPSV 228 Entering Long Passive Mode (6,16,254,128,0,0,0,0,0,0, 2,96,176,255,254,193,123,47,2,134,7) NOTE: The FTP client must use the -l option to use the LPSV and LPRT commands. The FTP session command longaddr toggles the use of the LPRT (extended port) and LPSV (extended passive) commands. For more information on the -l option, type man 1 ftp at the HP-UX prompt.
HP-Specific Features HP has introduced the following features in WU-FTPD 2.6.1: • Command-Line Options Following are the options included in WU-FTPD 2.6.1: — -m number_of_tries Specifies the number of tries for a bind() socket call. — -n nice_value Sets the nice value for an WU-FTPD process. When using this option, ensure that the nice clause in the /etc/ftpd/ftpaccess file (see ftpaccess(4)) is not set. — -B Sets the buffer size of the data socket to blocks of 1024 bytes.
Compatibility Information Customers currently using WU-FTPD 2.4 do not need to modify their configuration file. WU-FTPD 2.4 is compatible with this release of WU-FTPD. However, HP recommends you to use the WU-FTPD 2.6.1 configuration file delivered with this release to effectively use the new features and changes incorporated in WU-FTPD 2.6.1. You must modify your configuration settings only for the following instances: • If you are upgrading to WU-FTPD 2.6.
in the /usr/contrib/wuftpd/save_custom/backup directory and enables the higher version of WU-FTPD by linking the new files to existing file locations. The enable_inet -r wuftpd command enables you to revert to the previous version of WU-FTPD. To enable the newer version of WU-FTPD, you must run the enable_inet wuftpd command on the HP-UX prompt. The enable_inet status wuftpd command displays the currently active version of WU-FTPD.
Manpages Table 1-4 describes the manpages distributed with the WU-FTPD 2.6.1 depot. Table 1-4 WU-FTPD 2.6.1 Manpages Manpage Description ftp(1) User interface to the file transfer program ftpd(1M) Server for the Defense Advanced Research Project Agency (DARPA) Internet file transfer protocol.
www.hp.com/go/hpux-networking-docs The README files for WU-FTPD 2.6.1 are available in the /usr/share/doc directory. Defects Fixed in This Release This section describes the WU-FTPD 2.6.1 defects fixed in the HP-UX 11i v1 and 11i v3 operating systems.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae21322 In an FTP session, when the command ls is executed with the pathname of any file followed by /., FTP displays the long listing of the file instead of displaying the error message not found. For instance, when the ls /etc/passwd/. command is issued in an FTP session, the long listing of the file /etc/passwd is displayed. JAGae12022/ QXCR1000512388 JAGae62972/ QXCR1000521254 In WU-FTPD 2.6.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGaf35480/ ftpd(1M) always uses the primary interface address of the system for the data connection instead of using the address on which the control connection request is received. QXCR1000539305 JAGaf33866/ QXCR1000538860 JAGaf32059/ QXCR1000538330 JAGae79698/ QXCR1000525558 In an NFS-mounted file system, which is full, the ftp(1) get or mget command fails without displaying any error message.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae22345/ ftpd(1M) does not clean up certain environment variables when started in stand-alone mode. QXCR1000513734 Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.010) JAGag20313/ QXCR1000572236 The directives related to virtual hosting feature are not documented properly in the documentation available for ftpaccess(4). JAGag03440/ ftpd(1M) has problem with the guestserver clause.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description QXCR1000965335 When the ftpwho(1) command is run, it does not return the expected process information for each connected ftp session. QXCR1000576150 The default umask for ftpd(1M) is set to 022 instead of 027 as mentioned in the manpage. Due to this ftpd(1M) does not behave as expected in certain account configurations. Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.
Table 1-6 Defects Fixed in the HP-UX 11i v3 Operating System (continued) 54 Identifier Description QXCR1000545220 When the ftpd daemon logs file transfers in the /var/adm/syslog/ xferlog.log file, filenames containing 8-bit ASCII characters may be incorrectly logged. QXCR1000867024 The exceptions in handling file names logged in the /var/adm/ syslog/xferlog.log file are not documented in the xferlog(5) man page. QXCR1000895696 WU-FTPD 4.0 of 2.6.
