WU-FTPD 2.6.
Legal Notices © Copyright 2001-2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 WU-FTPD 2.6.1 Release Notes.....................................................................................................9 Announcement...................................................................................................................10 What Is In This Version.......................................................................................................10 WU-FTPD 2.6.1 Features................................................................................
Defects Fixed in the HP-UX 11i v1 Operating System..................................................49 Defects Fixed in the HP-UX 11i v3 Operating System..................................................
List of Figures 1-1 Structure of an FTP Server Hosting Two Virtual Domains.........................................
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 6 FTP Daemon timeout Options....................................................................................33 The virtual Clause Options.....................................................................................36 New Options in WU-FTPD 2.6.1.................................................................................41 WU-FTPD 2.6.1 Manpages..........................................................................................
List of Examples 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 1-11 1-12 1-13 The /etc/ftpd/ftpserver Configuration File Entry........................................................26 The passive Clause...................................................................................................34 The hostname Clause................................................................................................36 The greeting Clause..........................................................................
1 WU-FTPD 2.6.1 Release Notes This document discusses the most recent product information pertaining to WU-FTPD 2.6.1. It also discusses how to install WU-FTPD 2.6.1 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • • • • • • • • “Announcement” (page 10) “What Is In This Version” (page 10) “WU-FTPD 2.6.
Announcement The File Transfer Protocol (FTP) enables you to transfer files between a client host system and a remote server host system. On the client system, a file transfer program provides a user interface to FTP; on the server, the requests are handled by the FTP daemon, ftpd. WU-FTPD 2.6.1 is an HP implementation of the FTP daemon based on the replacement FTP daemon, developed at Washington University. WU-FTPD 2.6.1 is the latest version of WU-FTPD 2.6.
NOTE: Except for the TLS/SSL feature, all the features discussed in this section are available in WU-FTPD 2.6.1 on the HP-UX 11i v1 and HP-UX 11i v3 operating systems. Support for TLS/SSL The Transport Layer Security/Secure Socket Layer (TLS/SSL) feature enables the HP-UX FTP product to use the security features provided by OpenSSL. When this feature is enabled, HP-UX FTP provides a secured FTP session and a secure file transfer.
easy to perform in one direction but difficult to perform in the opposite direction, the two keys provide a high level of security if large numbers are used. Commonly used public key algorithms include RSA, El Gamal, and Diffie-Hellman. While establishing a TLS session, you can use public key cryptography to exchange a session key that is used in a private key algorithm.
keys. This is in contrast to the web of trust used in pretty good protection (PGP), which has no central authority. The central authority in a PKI issues a Certificate Authority (CA), a definitive certificate that contains the information and the public key of the server. This CA can be used to sign other certificates, by signing the public key of a requesting body, such as your server, with the private key.
Generating Certificates and Keys Using OpenSSL 0.9.7m The FTP client in an HP-UX operating system (HP-UX FTP) is compatible only with standard X.509 certificates in PEM format. HP-UX FTP supports certificates of the following encryption types: • • Rivest Shamir Adleman (RSA) encryption Digital Signature Algorithm (DSA) encryption You can use any encryption to generate certificates to use with HP-UX FTP to secure the file transfer.
$RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newreq-nodes$/) 1 Replace this line with the following: system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 2 Replace this line with the following: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); The only change is the addition of the -nodes option while generating certificates.
You are about to be asked to enter information that will be incorporated into your certificate request. Enter the organization name, location, and your name. After you answer the questions prompted by the ./CA.pl –newca command, the following files are created: • The ./demoCA/cacert.pem file. This is the CA certificate file you can exchange with communication partners for TLS authentication or verification. • The ./demoCA/private/cakey.pem file.
7. cd /etc/ftpd/security Copy the previously created CA certificate, the FTP server certificate, and the key from the /opt/openssl/misc/ directory to the /etc/ftpd/security directory: cp /opt/openssl/misc/demoCA/cacert.pem /etc/ftpd/security/ftpd-rsa-ca.pem cp /opt/openssl/misc/newkey.pem /etc/ftpd/security/ftpd-rsa-key.pem cp /opt/openssl/misc/newcert.pem /etc/ftpd/security/ftpd-rsa-cert.pem The FTP server is now ready with the signed public certificate and the private key.
NOTE: By default, the CA.pl script requests for a password to protect the private keys. If you are protecting the password with a PEM passphrase, enable the ftpd -z password=value option and set the appropriate password.
• Using the TLS configuration file. To use the configuration file, specify the following option as part of the command-line argument for ftpd(1M): ftpd –z config=/etc/ftpd/security/tls.conf 5.
NOTE: This step is optional and required only if you use Client Certificates for authentication. 4.
FTP_SSL_DSACERT_FILE Specifies the location of the client's DSA certificate file. FTP_SSL_KEYT_FILE Specifies the client's key file. FTP_SSL_DSAKEY_FILE Specifies the location of the client's DSA Key file. FTP_SSL_CIPHER Specifies the cipher list. FTP_SSL_CA_FILE Specifies the CA certificate. FTP_SSL_CA_PATH Specifies the pathname for CA certificate. FTP_SSL_CRL_FILE Specifies the CRL file location for the FTP client. FTP_SSL_CRL_PATH Specifies the CRL file pathname.
rsacert=/var/opt/ftp/CA-Certs/client-cert.pem -z\ rsakey=/var/opt/ftp/CA-Certs/client-key.pem server_name Basic Configuration for Secured File Transfer This section discusses the basic configuration required for secured file transfer in an FTP server and client. To configure secured file transfer in an FTP server, complete the following steps: 1. Generate the following certificates and key using HP-UX OpenSSL with the procedure discussed in “Generating Certificates and Keys Using OpenSSL 0.9.
To configure secured file transfer in an FTP client system, complete the following steps: 1. Generate the following certificates and key using HP-UX OpenSSL with the procedure discussed in “Generating Certificates and Keys Using OpenSSL 0.9.7m” (page 14): a. X509 RSA Certificate Authority (CA). b. X509 RSA server certificate signed by the CA certificate (certificate file). c. X509 RSA private key associated with the RSA server certificate (key file). 2.
client:/tmp>ftp server-machine Connected to server-machine. 220 server-machine FTP server (Revision 1.1 Version wuftpd-2.6.1 (PHNE_36065) Fri May 30 15:30:32 GMT 2008) ready. 234 AUTH TLS OK. [TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA, 256 bits] Name (server-machine:root): abc 232 User abc auto-logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> prot on 200 PROT P ok. TLS/SSL protection of data connections on. ftp> ls 200 PORT command successful.
Figure 1-1 Structure of an FTP Server Hosting Two Virtual Domains ftp.animals.com (Virtual Domain 1) ftp.domain.com (FTP Server) ftp.flowers.com (Virtual Domain 2) In Figure 1-1, a user connected to the FTP server ftp.domain.com through the domain ftp.animals.com receives a different banner and directory than a user who is connected to the same server through the domain ftp.flowers.com.
NOTE: A sample configuration file exists in the /usr/newconfig/etc/ftpd/examples directory. Example 1-1 The /etc/ftpd/ftpserver Configuration File Entry The following example shows a possible entry in the /etc/ftpd/ftpservers configuration file: 123.123.123.123 /etc/ftpd/somedomain In this example, when an FTP client connects to the server using the IP address 123.123.123.
virtual address allow username [ username ... ] virtual address deny username [ username ... ] The virtual address private directive This directive is used to deny anonymous FTP login. By default, anonymous users are allowed to log in a virtual FTP setup. virtual address private The virtual address root path and virtual address banner path directives These directives are used to display the banner message and are used in the /etc/ ftpd/ftpacess file.
NOTE: The virtual address hostname string directive does not require the virtual address root directive. This directive overrides the hostname string directive. If the /etc/ftpd/ftpaccess file has the hostname string directive but does not have the virtual address hostname string directive, then the hostname string directive does not affect the behavior of the ftpd(IM) daemon.
NOTE: The virtual address mailfrom emailaddress directive does not require the virtual address root path directive. This directive overrides the mailfrom emailaddress directive. If the master /etc/ftpd/ftpaccess configuration file has the mailfrom emailaddress directive but does not have the virtual address mailfrom emailaddress directive, the mailfrom emailaddress directive does not affect the behavior of the ftpd(1M) daemon.
NOTE: Do not use the virtual address banner path directive in the ftpaccess file of the virtual domain because the directive does not have any effect. The logfile path directive This directive is used to change the path of the xferlog(4) file. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: Do not use the virtual address logfile path directive in the ftpaccess file of the virtual domain because the directive does not have any effect. The hostname some.host.
1. Set up an IP alias for the FTP server machine using the ifconfig command. For example: ifconfig lan0:1 15.70.178.100 netmask 0xffffff00 up The IP address 15.70.178.100 is set as an alias to the interface lan0. Now you can access the FTP server machine with lan0 as the interface, with the IP address 15.70.178.100. 2. Declare the following directives in the /etc/ftpd/ftpaccess file: virtual 15.70.178.100 root/virtual virtual 15.70.178.100 banner / virtual/banner.msg virtual 15.70.178.
The syntax for the email-on load feature is as follows: — mailserver — incmail virtual incmail defaultserver incmail — mailfrom virtual mailfrom defaultserver incmail — deny-email If you specify virtual host addresses, the addresses only on a particular host receive notification messages of anonymous uploads.
Table 1-1 FTP Daemon timeout Options Option Description accept The time period for which the daemon waits for an incoming (PASV-passive) data connection. The default value is 120 seconds. connect The time period the daemon waits before attempting to establish an outgoing (PORT-port) data connection. The default value is 120 seconds. The connect option affects the actual connection attempt. The daemon makes several attempts at regular intervals, sleeping between each attempt, before disconnecting.
• Enhanced DNS Extensions You can use this feature to refuse (or override) an FTP session when a reverse DNS lookup fails. The syntax for the enhanced DNS extension feature is as follows: dns refuse_mismatch [ override ] dns refuse_no_reverse [ override ] dns resolveroptions • Reported Address Control This feature enables you to impose control on the address reported in response to a PASVcommand and on the TCP port numbers that can be used for a passive data connection.
NOTE: You cannot selectively allow PORT and PASV data connections in an IPv6 environment. • The keepalive Clause The keepalive clause allows you to control network disconnect by setting the TCP SO_ALIVE option for data sockets. You can specify yes to set the TCP option, or no to use the system default settings, which is usually off. HP recommends that you set the keepalive clause to yes to retain the network traffic connected.
defaultserver deny [ username ...] defaultserver allow [ username ...] defaultserver private Table 1-2 specifies different virtual clause examples. Table 1-2 The virtual Clause Options The virtual Clause Option Description virtual xx.xx.xx.xx allow root Allows the root user to start an FTP session on the system xx.xx.xx.xx.
• Control Information This feature allows you to control the information specified in the greeting message before a remote user logs in. For the greeting message, you can specify the host name and the daemon version, only the host name, or only the message FTP server ready. The default greeting clause is greeting full.
Example 1-5 The ul-dl-rate Clause An example for the ul-dl-rate clause is as follows: ul-dl-rate 2 For every 1 byte of data that is uploaded, the ftp server allows 2 bytes of data to be downloaded. • The nice Clause The nice clause allows you to modify the nice value of the FTP server if the remote user is a member of the named class. If you do not specify the class, use nice-delta as the default adjustment to the nice value of the FTP server process.
The syntax for controlling the maximum number of lines of output is as follows: site-exec-max-lines [ class ...] Example 1-7 The site-exec-max-lines Clause The following are some examples for the site-exec-max-lines clause: site-exec-max-lines 200 remote site-exec-max-lines 0 local site-exec-max-lines 25 Example 1-7 contains three example statements for the site-exec-max-lines clause. The first example limits the output from SITE EXEC (therefore SITE INDEX) to 200 lines for remote users.
Example 1-8 The anonymous-root Clause The following are examples of the anonymous-root clause: anonymous-root /home/ftp anonymous-root /home/localftp localnet The first example changes the root directory of all the anonymous users to the directory /home/ftp, the anonymous user’s current working directory being the home directory. If an FTP user exists in the /home/ftp/etc/passwd file, the user’s current working directory is the home directory.
New Feature Related to Data Transfer The following lists the data transfer features: • For statistical purposes, you can track the total bytes of data transferred. Also, you can limit the number of data bytes that a user, in any given class, can transfer. You can specify a directive in the /etc/ftpd/ftpaccess file to limit the number of bytes incoming, outgoing, or both.
Table 1-3 New Options in WU-FTPD 2.6.1 (continued) Option Description -X This option does not save the output created by the -i and -o options to the /var/ adm/syslog/xferlog file but writes to the /var/adm/syslog/syslog.log file. -I This option enables the use of Identification Protocol (RFC1413) to attempt to determine the username on the client. -s and -S These options run the daemon in standalone operation mode.
Example 1-10 ERPT Command Output for IPv6 and IPv6 Connections The following displays the output for the EPRT command for both IPv6 and IPv6 connections. For IPv4: ------> EPRT 1 132.235.1.2 50934 For IPv6: ------> EPRT 2 fe80::260:b0ff:fec1:7b2f 50934 — EPSV - Extended Passive This command requests a server to listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.
Example 1-13 LPASV Command Output The following displays the output for the LPASV command: ftp> passive Passive mode on. -------> LPSV 228 Entering Long Passive Mode (6,16,254,128,0,0,0,0,0,0, 2,96,176,255,254,193,123,47,2,134,7) NOTE: The FTP client must use the -l option to use the LPSV and LPRT commands. The FTP session command longaddr toggles the use of the LPRT (extended port) and LPSV (extended passive) commands. For more information on the -l option, type man 1 ftp at the HP-UX prompt.
HP-Specific Features HP has introduced the following features in WU-FTPD 2.6.1: • Command-Line Options Following are the options included in WU-FTPD 2.6.1: — -m number_of_tries Specifies the number of tries for a bind() socket call. — -n nice_value Sets the nice value for an WU-FTPD process. When using this option, ensure that the nice clause in the /etc/ftpd/ftpaccess file (see ftpaccess(4)) is not set. — -B Sets the buffer size of the data socket to blocks of 1024 bytes.
Compatibility Information Customers currently using WU-FTPD 2.4 do not need to modify their configuration file. WU-FTPD 2.4 is compatible with this release of WU-FTPD. However, HP recommends you to use the WU-FTPD 2.6.1 configuration file delivered with this release to effectively use the new features and changes incorporated in WU-FTPD 2.6.1. You must modify your configuration settings only for the following instances: • If you are upgrading to WU-FTPD 2.6.
in the /usr/contrib/wuftpd/save_custom/backup directory and enables the higher version of WU-FTPD by linking the new files to existing file locations. The enable_inet -r wuftpd command enables you to revert to the previous version of WU-FTPD. To enable the newer version of WU-FTPD, you must run the enable_inet wuftpd command on the HP-UX prompt. The enable_inet status wuftpd command displays the currently active version of WU-FTPD.
Manpages Table 1-4 describes the manpages distributed with the WU-FTPD 2.6.1 depot. Table 1-4 WU-FTPD 2.6.1 Manpages Manpage Description ftp(1) User interface to the file transfer program ftpd(1M) Server for the Defense Advanced Research Project Agency (DARPA) Internet file transfer protocol.
http://www.docs.hp.com/en/netcom.html#Internet%20Services The README files for WU-FTPD 2.6.1 are available in the /usr/share/doc directory. Defects Fixed in This Release This section describes the WU-FTPD 2.6.1 defects fixed in the HP-UX 11i v1 and 11i v3 operating systems.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae21322 In an FTP session, when the command ls is executed with the pathname of any file followed by /., FTP displays the long listing of the file instead of displaying the error message not found. For instance, when the ls /etc/passwd/. command is issued in an FTP session, the long listing of the file /etc/passwd is displayed. JAGae12022/ QXCR1000512388 JAGae62972/ QXCR1000521254 In WU-FTPD 2.6.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGaf35480/ ftpd(1M) always uses the primary interface address of the system for the data connection instead of using the address on which the control connection request is received. QXCR1000539305 JAGaf33866/ QXCR1000538860 JAGaf32059/ QXCR1000538330 JAGae79698/ QXCR1000525558 In an NFS-mounted file system, which is full, the ftp(1) get or mget command fails without displaying any error message.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae22345/ ftpd(1M) does not clean up certain environment variables when started in stand-alone mode. QXCR1000513734 Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.010) JAGag20313/ QXCR1000572236 The directives related to virtual hosting feature are not documented properly in the documentation available for ftpaccess(4). JAGag03440/ ftpd(1M) has problem with the guestserver clause.
Table 1-5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description QXCR1000965335 When the ftpwho(1) command is run, it does not return the expected process information for each connected ftp session. QXCR1000576150 The default umask for ftpd(1M) is set to 022 instead of 027 as mentioned in the manpage. Due to this ftpd(1M) does not behave as expected in certain account configurations.