My question:
:
:
: I like to setup a anonymous ftp account for my users, I did it, but I am
: not able to display a message when a ftp user is connected to my server.
: Could any one of you help me out? I will summarize it.
:
: Thanks advance to all Sun Managers.
:
: fdl@glnpogis5.r05.epa.gov
:
:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
I would like to thank all that replied to my problems. I had many replies.
Summary:
1) Get a new ftpd package with the patches from the following sites:
1) wuarchive.wustl.edu:/packages/ftpd.wuarchive.shar
2) sunsite.unc.edu
3) ftp.uu.net has the uunet-ftpd.patches
2) Read the README file before you make the package for your system.
Edit pathnames.h to conform to your needs, edit support/paths.h as well.
I used the following setup:
#include "support/paths.h"
#define _PATH_FTPUSERS "/etc/ftpusers"
#define _PATH_FTPACCESS "/usr/local/etc/ftpaccess"
#define _PATH_PIDNAMES "/usr/local/daemon/ftpd/ftp.pids-%s"
#define _PATH_XFERLOG "/usr/adm/xferlog"
#ifndef _PATH_UTMP
#define _PATH_UTMP "/etc/utmp"
#define _PATH_WTMP "/usr/adm/wtmp"
#define _PATH_LASTLOG "/usr/adm/lastlog"
#endif
3) After you build the new ftpd and installed it, you should configure it
by using the method provided by Mr. Gregory Higgins and Mr. Daniel Trinkle
>From higgins@math.niu.edu Sat Aug 1 03:57:39 1992
>
>1) Find a free partition about the right size. This makes it easy to
> back the thing up and restore it.
>
>2) I made a directory /ftproot on the machine where it needs to sit, with
> 555 permissions.
>
>3) Mount the partition on /ftproot.
>
>4) Make sure you have an ftp user in the /etc/passwd for that machine.
> I run NIS (YP) here, and passwords are network wide, but I only allow
> ftp into one machine. So it's /etc/passwd has an ftp user-id, but
> there is none in the master passwd file.
>
>5) Jump over to wuarchive and get
> wuarchive.wustl.edu:/packages/ftpd.wuarchive.shar
>
>6) In /ftproot
> mkdir bin etc dev pub usr usr/lib
> check the ownership and permissions; I set all my top dir to be root.wheel
> except for ftproot/etc which is root.daemon all have 555 permisions.
> usr/lib is root.daemon and 555 also.
>
>7) cp /usr/bin/ls to /ftproot/usr
> cp /usr/lib/ld.so to /ftproot/usr/lib
> cp /usr/lib/libc.so.1.6 to /ftproot/usr/lib
> make the owner.group and permissions match the originals.
>
>8) ls -l /dev/zero
> in /ftproot/dev mknod zero c major minor
> using the major and minor from the ls.
>
>9) create /ftproot/etc/passwd
> you'll need the usual entries, mine look like this:
>
> root:*:0:0::/:/dev/null
>
> ditto for daemon, sys,bin, ftp
>
>10) create /ftproot/etc/group
> again, you really only want the group names and numbers, you
> don't need group members. This is to make listings look pretty.
>
>11) create the ftp entry in /etc/passwd
> mine looks like this
>
> ftp:*:400:400:Anonymous FTP:/ftproot:/bin/csh
>
>12) At this point in time, if a real user can ftp into the machine,
> anonymous ftp should be working too. If real users can't ftp
> (non-anonymously) into the machine, you'll need to uncomment
> or install the following line in /etc/inetd.conf
>
>ftp stream tcp nowait root /usr/etc/in.ftpd in.ftpd
>
> and restart inetd. (Use ps to find the pid and kill -HUP pid ).
>
>13) Unshar the ftpd.wuarchive stuff, read thru it and decide if you
> want to install it. Many, many sites are going to it. It essentially
> replaces /usr/etc/in.ftpd, so you'll eventually end up changing some
> of (13) if you use it. Put in the time and install it.
>
>14) Since the stated purpose of our anonymous ftp is to all our professors
> to 'publish' their papers, in my math.niu.edu:/pub, I put a directory
> for the professors to put their papers in. Each person owns their own
> papers subdirectory. Since we run C2, to protect the user-ids, I
> installed into /ftproot/etc/passwd each users id with a locked passwd,
> and instead of the username, gave them all the name papers. Since
> the directorys are all named Lastname,Firstname, even though we
> identify the person, we give away neither their login name, nor
> their user-id. (This works since you can't do an ls -n) eg:
>
> papers:5001:5000::/:/dev/null
> papers:5002:5000::/:/dev/null
>
> Depending upon what you're using your anon ftp service for, you
> might find this technique usefull. It's not really a security
> technique, as much as it is a blankie for the more paranoid of
> our users.
>
>15) Run thru the system and make sure that all 'protected' files are
> non-writeable, protected directories are non-writaable. You may
> want to consider creating a contrib directory 1777 for people to
> stick stuff in.
>
>16) My ftp machine is olympus.math.niu.edu, but in my nameserver
> I put in an A record for the domain with the address of olympus
> so that ftp math.miu.edu gets you to the right machine, and a
> CNAME record for ftp.math.niu.edu so it takes you to the same
> place.
>
>It's been 6 or 7 months since I set this up, but unless I've forgotten
>something you should be happening.
>
> -Gregory Higgins, Systems Manager, higgins@math.niu.edu
>
>
========================= Continue ====================================
The way I did it was to install /usr/local/etc/in.ftpd and
/usr/local/etc/ftpcount. I made the transfer log file
/var/adm/xferlog. I also created /usr/local/adm/ftpd (you may want it
in /var/adm) for the PID files. Here is what I used in pathnames.h
#define _PATH_FTPUSERS "/etc/ftpusers"
#define _PATH_FTPACCESS "/etc/ftpaccess"
#define _PATH_EXECPATH "/bin/ftp-exec"
#define _PATH_PIDNAMES "/usr/local/adm/ftpd/ftp.pids-%s"
#define _PATH_XFERLOG "/usr/adm/xferlog"
Once that was done, I created /etc/ftpusers and /etc/ftpaccess.
/etc/ftpusers is empty for us, because we don't want to restrict any
users in particular. My ftpaccess file is (without the == lines)
All the paths mentioned in this file are relative to /usr/ftp, so
I had to create /usr/ftp/etc/msgs with the files msg.toomany and
welcome.msg. I also installed the msg.dead, but I don't remember why.
======================================================================
class local real *.cs.purdue.edu 128.10.*.* 128.211.1.*
class remote real *
class lanon guest,anonymous *.cs.purdue.edu 128.10.*.* 128.211.1.*
class anon guest,anonymous *
limit lanon 10 Any /etc/msgs/msg.toomany
limit anon 10 Any /etc/msgs/msg.toomany
readme README* login
readme README* cwd=*
message /etc/msgs/welcome.msg login
message .message cwd=*
log commands anonymous
log transfers anonymous inbound,outbound
======================================================================
This creates four classes of ftp logins. local real logins,
foreign real logins, local anonymous logins, and foreign anonymous
logins. We limit each class of anonymous logins to 10 at a time.
The readme lines tell ftpd to notify the user of the existence
and timestamp on any README* (i.e. README or README.new, etc) at login
time, and whenever doing a cd, if it exists in the current directory.
The message lines tell it to show the file welcome.msg at login
time, and to also display the file .message if it exists in the
current directory.
The log lines tell ftpd to log all anonymous commands and
transfers. So far as I know, only the transfer logging actually
works.
After getting all these files in place, I changed the line in
/etc/inetd.conf from
ftp stream tcp nowait root /usr/etc/in.ftpd in.ftpd
to
ftp stream tcp nowait root /usr/local/etc/ftpd ftpd
# I used this line in my inetd.conf Fengdao liu
and sent a HUP signal to inetd. (kill -HUP PID)
The xferlog log file will grow indefinitely unless you use some
external method of clearing it. I chose to create a subdirectory
(/var/adm/ftplog) and split the xferlog file up by month and compress
the old months' files. Nothing very fancy, but some people locally
want to know who is getting their software. I wrote a simple script
for doing this. I put it in /var/adm/ftplog/xfersum and invoke it
once a month from cron.
===============================xfersum================================
#!/bin/sh
#
# xfersum - split and compress the xferlog file used by the local ftpd.
#
# December 16, 1992
# Daniel Trinkle
# Department of Computer Sciences
# Purdue University
# West Lafayette, IN 47907
#
PATH=/bin:/usr/bin:/usr/ucb
export PATH
umask 137
LOGDIR=/var/adm/ftplog
LOG=/var/adm/xferlog
DEBUG=:
if cd $LOGDIR ; then
:
else
echo "ERROR: xfersum: cannot change directory to $LOGDIR"
exit 1
fi
if [ ! -f $LOG ] ; then
echo "ERROR: xfersum: no log file to split: $LOG"
exit 1
fi
if [ ! -s $LOG ] ; then
echo "xfersum: no log entries in $LOG, exiting"
exit 0
fi
# Move current log out of the way, and start a new one
if mv $LOG $LOG.old && touch $LOG ; then
:
else
echo "ERROR: xfersum: could not reset the log file: $LOG"
exit 1
fi
# Split the old log into month specific files
$DEBUG "Splitting $LOG.old"
awk '
{
file = "ftplog." $2 "." $5 ".new";
print $0 >file;
}' $LOG.old
rm -f $LOG.old
# Compress each month file, appending it to an existing compressed file if
# there is one.
$DEBUG "Compressing split files"
for nfile in ftplog.*.new ; do
file=`basename $nfile .new`
if [ -f $file.Z ] ; then
if zcat $file | cat - $nfile | compress > $nfile.Z ; then
$DEBUG "Appended $nfile to $file"
mv -f $nfile.Z $file.Z
rm -f $nfile
else
echo "ERROR: xfersum: Append failed for $nfile, continuing"
fi
else
mv $nfile $file
if compress $file ; then
$DEBUG "Compressed $file"
else
echo "ERROR: xfersum: Compress failed for $file, continuing"
fi
fi
done
exit 0
======================================================================
All this is the way we do it. There are many parameters you can
customize, but I hope it gives you a good idea of how to get started.
Daniel Trinkle trinkle@cs.purdue.edu
Dept. of Computer Sciences {backbone}!purdue!trinkle
Purdue University 317-494-7844
West Lafayette, IN 47907-1398
Once again, thanks all of you, Sun-Managers.
Fengdao Liu
fdl@glnpogis5.r05.epa.gov
^^^^^^^^^^^^^^^^^^^^^^^^^
BTW:
If you want to display a message for telnet users, you can use Mr. John Storm's
solution:
Use a "wrapper" for in.telnetd. Change the line in /etc/inetd.conf
from
telnet stream tcp nowait root /usr/etc/in.telnetd in.telnetd
to
telnet stream tcp nowait root /.../telnet.msg in.telnetd
Telnet.msg is simply a script that outputs the warning and then invokes the telnet daemon process. Where this script lives is up to you - ours is in /usr/local/scripts. An example is:
#!/bin/sh
#
/usr/5bin/echo
/usr/5bin/echo "_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_] \r"
/usr/5bin/echo "_] _] \r"
/usr/5bin/echo "_] THIS IS A PRIVATE COMPUTING SYSTEM, _] \r"
/usr/5bin/echo "_] RESTRICTED TO AUTHORIZED USERS. _] \r"
/usr/5bin/echo "_] _] \r"
/usr/5bin/echo "_] UNAUTHORIZED ACCESS OR USE WILL _] \r"
/usr/5bin/echo "_] RESULT IN PROSECUTION. _] \r"
/usr/5bin/echo "_] _] \r"
/usr/5bin/echo "_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_]_] \r"
/usr/5bin/echo
/usr/5bin/echo
exec in.telnetd
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:26 CDT