SHIFT-WIKI

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


aixftp

AIX FTP

Since I restricted access for local users to my AIX boxes users have a problem with placing files on the boxes. The files needs to be accessible for local users for compiling, deploying or whatever purpose they are intended for. This is more complex than it seems, we are talking multiple users working at the same time on the same project, placing and editing files all the time. When these files are not changed to belong to a local or one user in common a permission and owner nightmare will occur. With this in mind I had to change the security model in still compliant with the security policy and that development has a workable environment. The security model allows no login from local (fictional) users accounts, and real users (employees) has to login through ssh, while being authenticated through LDAP. Sudo rights is given only to some specific users who know what they are doing and every sudo command gets logged to the SYSLOG server which is only available to the IT-department.

SSH Allow

First step is to make sure only LDAP authenticated users are allowed to login. To enforce this policy before this problem arose, local accounts were simply set to not be able to log on, not local nor remote. This still makes it possible to su to another user, but logging in directly is prohibited. Now, with this new requirements, this is not enough anymore. Now to be able to log on through ssh you have to be member of a group of the same LDAP directory. To configure this, open sshd_config and add these lines at the end of the file:

sjoerd@aixbox:/home/sjoerd>sudo cat /etc/ssh/sshd_config | grep -i group
# Only allow users to use ssh when member of this group
AllowGroups ssh-access

This group should be in the LDAP directory. With us, this group is configured as everyones primary group so it's an excellent group to use for this purpose.

Allow Remote Login

As said before, previously, local accounts were prohibited from logging in to the box by setting their accounts accordingly. This is not necessary anymore so you should change that so they can login:

sudo chuser rlogin=true <username>

Of course, before you do this make sure the users cannot login through any service except the ones you want. In this document I described the way to disable all unnecessary services from your AIX box.

Enable FTP

Now it's time to enable FTP again, because I disabled all unnecessary services from running as described here. This means I have to enable the FTP service (subserver) in the inetd subsystem, start the inetd subsystem and make sure it starts after a reboot.
Enable FTP:

chsubserver -a -v ftp -p tcp

Start inetd subsystem:

startsrc -s inetd

Start inetd after reboot:

chrctcp -a inetd

Start inetd now and after reboot:

chrctcp -S -a inetd

Refresh inetd with new settings after you've changed config files etc:

refresh -s inetd

Configure FTP

To allow a single host create a file called /etc/ftpaccess.ctl and:

sjoerd@aixbox:/home/sjoerd>cat /etc/ftpaccess.ctl 
allow:ftpclient 

NOTE: There is a <space> directly after the host. I found the configuration does not work if this is not set.
In case you want to restrict users from the ftp services you can create a file called /etc/ftpusers and:

sjoerd@aixbox:/home/sjoerd>cat /etc/ftpusers
user1
user2
user3

These users are now restricted from logging in through ftp. Note that this file is case sensitive.

Resources

aixftp.txt · Last modified: 2021/09/24 00:24 by 127.0.0.1