Hello again !
I have received several good hints. Many thanks to everybody.
There was one manager advising against wu-ftp under c2 security altogether,
pointing out that "wu-ftp and c2 security" was in itself a contradiction!
Anyway, we just wanted to test it on a test system, but thank you for the
warning.
Unfortunately, I haven't had time to try it out yet,
but here are the most complete installation instructions, which I got from
Darryl Cook, quoting Darren Schenebeck (many thanks to both of them !).
I hope this will do the trick for the rest of us, who are still happy with
old wu-ftp:
Best wishes
URS GASSER
urs.gasser_at_bit.admin.ch
----------------------------------------------------------------------------
-------------------------------
-----Original Message-----
From: Darryl Cook [mailto:dlc_at_cs.appstate.edu]
Sent: Donnerstag, 22. März 2001 17:01
To: Gasser Urs BIT
Subject: Re: wu-ftpd-2.6. under c2 shows 'Login failed.'
I just installed it on 5.1 about a month ago. The following helped me a
great
deal. After making the changes I had no problems whatsoever installing it.
good luck!
darryl cook
worked like a charm......thanks I owe you one!!
dschen - Darren Schenebeck wrote:
> These are the instructions that I found for 2.6.0. The instructions work
> for me but I'm using the 2.6.0 instructions, you also have to have your
> /usr/local/lib/ftpd/ftpaccess file correct in order to allow the users to
> get in and actually move files. I don't know if this will help you or
not.
>
> * Install wu-ftp:
>
> # cd wu-ftpd-2.6.0/src/makefiles
> # vi Makefile.du4
>
> add
>
> -DSECUREOSF to the IFLAGS line
> add
>
> -lsecurity to the LIBES line
>
> # cd ../config
> # vi config.du4
>
> add
>
> #include <sys/fcntl.h>
>
> # cd ../..
> # script wu-ftp.install
> # ./build du4
> # ./build install
> # ^d
>
> * Edit the /etc/inetd.conf file:
>
> # emacs /etc/inetd.conf&
>
> 1. Copy and then comment out the original ftp line.
> 2. Modify the inserted ftp line to look like the following:
>
> ftp stream tcp nowait root /usr/sbin/in.ftpd ftpd
-a
>
> 3. Move the in.ftpd file to proper location.
>
> # mv /etc/in.ftpd /usr/sbin
>
> * Send a kill -HUP to the inetd process to make the change effective:
>
> # ps -ef | grep inetd
> # kill -1 pid
>
> * Make a directory that will contain configuration files.
>
> # cd /usr/local/lib
> # mkdir ftpd
>
> * Copy configuration files from aadmn1 to machine ftp is being installed
to.
>
> # cd ftpd
> # rcp -p aadmn1:/usr/local/lib/ftpd/* .
>
> * Edit configuration files as needed (see sample at end).
>
> * Steps needed to allow guest ftp access to a particular directory while
> still
> having tnvt access. No traversing tree:
>
> 1. Add a line to ftpaccess to designate directory where users
> will have access
> to.
>
> guest-root /usr/users/ftp test1 FORCES TEST1 TO SPECIFIED
> DIR
>
> 2. Add a line to ftpaccess to allow uid access.
>
> allow-uid test1 UNBLOCKS
> SPECIFIED UIDS
>
> 3. Make sure the user's group is not in this statement.
>
> realgroup system ALLOWS SYSTEM GROUP REAL
> ACCESS
>
> 4. Build the directory structure under the directory where
> access is needed:
>
> # cd /usr/users/ftp
>
> # mkdir bin
> # chown root:daemon bin
> # chmod 111 bin
>
> 3. Build the contents of the /usr/users/ftp/bin directory:
>
> # cp -p /sbin/ls bin
> # chown root:bin bin/ls
> # chmod 111 bin/ls
>
> * Steps needed to allow ftp access only (no tnvt access):
>
> 1. Change passwd file entry to look like the following:
>
> ftp1aa:*:3397:999:ftpguest
> 1:/usr/users/ftp1aa/./:/etc/ftponly
>
> 2. Make sure "/etc/ftponly" is in etc/shells
>
> 3. Build the directory structure under the users account:
>
> # cd /usr/users/ftp1aa
> # mkdir etc bin
> # chown root:daemon etc bin
> # chmod 111 etc bin
>
> 4. Build the contents of the /usr/users/ftp1aa/bin directory:
>
> # cp -p /sbin/ls bin
> # chown root:bin bin/ls
> # chmod 111 bin/ls
>
> 5. Build the contents of the /usr/users/ftp1aa/etc directory:
>
> a. Create a scaled down version of a passwd file with
> the following entries:
>
> root:*:0:0::/:/etc/ftponly
>
ftp1aa:*:3397:999::/usr/users/ftp1aa/./:/etc/ftponly
>
> b. Create a scaled down version of a group file with
> the following entries:
>
> root::0:root
> ftpguest::999:ftp1aa
>
> c. Set ownership and permissions:
>
> # chown root:daemon passwd group
> # chmod 444 passwd group
>
>
> d. Add some extra security touches:
>
> # cd /usr/users/ftp1aa
> # touch .rhosts .forward
> # chown root:root .rhosts .forward
> # chmod 400 .rhosts .forward
>
> * Sample ftpaccess file location /usr/local/lib/ftpd. This will force all
> users
> to be guest except for system users pajosa and rkrosa who will be real.
>
> class local real,guest *.acfw.in.us
> class remote real,guest *.acfw.in.us
>
> noretrieve /etc/passwd .login .profile .rhosts .cshrc .kshrc
> .forward
>
> log commands real,guest
>
> log transfers real,guest inbound,outbound
>
> chmod yes real
> rename yes real
> overwrite yes real
> umask yes real
> delete yes real
>
> chmod no guest
> rename no guest
> overwrite yes guest
> umask no guest
> delete no guest
>
> guestuser *
> FORCES ALL USERS TO BE GUEST
>
> realgroup system
> ALLOWS SYSTEM GROUP REAL ACCESS
>
> guest-root /usr/users/ftp test1 FORCES
TEST1
> TO SPECIFIED DIR
>
> deny-uid %-999999
> BLOCKS ALL UIDS
>
> allow-uid ftp1aa test1 pajosa rkrosa UNBLOCKS SPECIFIED
> UIDS
>
> restricted-uid ftp1aa test1 NO
> TRAVERSING TREE
>
> unrestricted-uid pajosa rkrosa UNLIMITED
> TREE ACCESS
>
> * Sample ftphosts file located in /usr/local/lib/ftpd
>
> # host access file
> #
> # This file is needed to allow or deny access for guest users
>
> allow ftp1aa pete-joseph.acfw.in.us
>
> -----Original Message-----
> From: Darryl Cook [mailto:dlc_at_cs.appstate.edu]
> Sent: Friday, January 19, 2001 1:29 PM
> To: tru-64
> Subject: wu-ftpd 2.6.1
>
> I am having a little trouble getting wu-ftd 2.6.1 to install correctly.
> I have a DEC Alpha 2100A running DU4.0f. Everything configures fine but
> when I try to ftp to my site it rejects my username and password. We do
> run Enhanced Security. I found something in the docs that said to
> modify the ./src/makefiles/makefile.arch file for Enhanced Security
> and did that but still cant login. Anyone else run into this?
>
> darryl
Gasser Urs BIT wrote:
> Hi !
>
> I have now tried for some time to get the wu-ftpd (wu-ftpd-2.6.1) to work
> under DU V 5.1 and c2 security.
> It is just impossible to login via ftp. The ftp prompt keeps showing the
> following error message:
>
> Fancy_host1# ftp my_workstation
> Connected to my_workstation.
> 220 my_workstation FTP server (Version wu-2.6.0(2) Wed Mar 14 10:26:56 MET
> 2001) ready.
> Name (my_workstation:my_account): test_account
> 331 Password required for test_account
> Password: <PASSWORD>
> 530 Login incorrect.
> Login failed.
> ftp>
>
> The fptd seems to attempt to read passwords from the /etc/passwd, which
> under c2 security have moved to a different location ("shadowed
passwords").
>
> Newletters on the WEB suggest that some SWITCHES should be added to the
> configuration files before compiling the wu-ftpd.
>
> Could somebody please describe the correct installation procedure on a
Alpha
> Server with
> DU V 5.1 under c2 security ?
>
> Thank you very much in advance.
>
> Best wishes,
> Urs GASSER, Switzerland, Europe
>
> urs.gasser_at_bit.admin.ch
Received on Fri Mar 23 2001 - 16:27:11 NZST