WU-FTPD 2.6.
Legal Notices © Copyright 2001, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 WU-FTPD 2.6.1 Release Notes..................................................................................................5 Announcement.........................................................................................................5 What Is In This Version..............................................................................................6 WU-FTPD 2.6.1 Features............................................................................................
Defects Fixed in the HP-UX 11i v1 Operating System...............................................45 Defects Fixed in the HP-UX 11i v3 Operating System...............................................
1 WU-FTPD 2.6.1 Release Notes This document discusses the most recent product information pertaining to WU-FTPD 2.6.1. It also discusses how to install WU-FTPD 2.6.1 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • “Announcement” (page 5) • “What Is In This Version” (page 6) • “WU-FTPD 2.6.
• RFC 959 (FILE TRANSFER PROTOCOL (FTP)) • RFC 1639 (FTP Operation Over Big Address Records (FOOBAR)) • RFC 2428 (FTP Extensions for IPv6 and NATs) What Is In This Version The revision of WU-FTPD 2.6.1, B.11.11.01.014 on the HP-UX 11i v1 operating system contains defect fixes. For information on defect fixes, see “Defects Fixed in This Release” (page 45). WU-FTPD 2.6.1 Features Following are the WU-FTPD 2.6.
NOTE: The TLS/SSL feature is available on the HP-UX 11i v2 and HP-UX 11i v3 operating systems. You can install the WU-FTPD 2.6.1 enhancement bundle, which you can download from http://www.software.hp.com, to obtain the TLS/SSL feature on the HP-UX 11i v2 operating system. The WU-FTPD 2.6.1 enhancement bundle contains the latest core patch required for the TLS/SSL feature on the HP-UX 11i v2 operating system. The WU-FTPD 2.6.
keys to authenticate the server and, if required, the client, and to provide session-level encryption and confidentiality for the entire session. • Hash algorithms. These algorithms are a set of one-way functions that accept a variable length input, and, after mathematical processing, produce a fixed length output. The transformations of the data produce a fingerprint of the input. The minor changes to the input appear as large changes in the output. Popular hash algorithms include SHA-1, MD5, and RIPEMD.
sign other certificates, by signing the public key of a requesting body, such as your server, with the private key. The trust in identity is transitive, because the CA is recognized by all the involved parties as authoritative: "I trust the CA, and the CA says that it is you, so it must be true." Certificates can be revoked because of expiration or compromise in security. To do this, the issuing body provides a certificate revocation list (CRL) that identifies the certificates to be invalidated.
You can use any encryption to generate certificates to use with HP-UX FTP to secure the file transfer. For information on creating RSA and DSA certificates, see “Creating DSA Certificates and Keys” (page 13). The OpenSSL script, /opt/openssl/misc/CA.pl, can be used to generate certificates and keys. By default, the certificate files are created in an encrypted format using the Data Encryption Standard (DES) encryption. You must log in as a superuser and modify the CA.
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS"); The only change is the addition of the -nodes option while generating certificates. If you do not include this option, you must use the configuration or command-line option password in the FTP server and ssl_password in the FTP client, respectively. NOTE: You must modify the first line in the CA.pl script to the location of the perl interpreter on your system.
• The ./demoCA/cacert.pem file. This is the CA certificate file you can exchange with communication partners for TLS authentication or verification. • The ./demoCA/private/cakey.pem file. This is the private key file of the CA and is passphrase-protected. You can use this private key to sign or revoke certificates. NOTE: Do not exchange the private key file with communication partners. b. Generate the certificate and the key pair for the FTP server: $ ./CA.
cp /opt/openssl/misc/newkey.pem /etc/ftpd/security/ftpd-rsa-key.pem cp /opt/openssl/misc/newcert.pem /etc/ftpd/security/ftpd-rsa-cert.pem The FTP server is now ready with the signed public certificate and the private key. Creating DSA Certificates and Keys This section provides an example to create DSA certificates and keys. NOTE: You must create DSA certificates only if you want to use DSA certificates instead of RSA certificates. Following is an example to create DSA certificates and keys: 1.
NOTE: By default, the CA.pl script requests for a password to protect the private keys. If you are protecting the password with a PEM passphrase, enable the ftpd -z password=value option and set the appropriate password.
For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product. So no additional software is required to be installed on the system. 3. 4. Configure OpenSSL and generate X.509 certificates and keys before starting the FTP server. Enable TLS configuration for the FTP server using either of the following methods: • Using -z command-line option in ftpd(1M). • Using the TLS configuration file.
1. 2. Ensure that the OpenSSL software in installed in the system. For the HP-UX 11i v2 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP product bundle and the SSL libraries as two independent products. So, ensure that the ftp-ssl-ncf FTP TLS enhancement software is installed in the system.
FTP_SSL_NOFALLBACK Specifies if SSL fallback needs to be enabled. By default, fallback is enabled. FTP_SSL_PROT Specifies whether the data channel encryption is enabled. By default, it is enabled. FTP_SSL_RANDFILE Specifies the file used for seeding random number generator. FTP_SSL_LOGFILE Specifies the logfile for the debug mode. FTP_SSL_CONFIG_FILE Specifies the file that contains the configuration options related to TLS.
FTP_SSL_KEYT_FILE=/home/SSL/CERTS/server-key.pem FTP_SSL_DSAKEY_FILE=/home/SSL/CERTS/dsaclient-key FTP_SSL_CA_FILE=/home/SSL/CERTS/ca-cert.pem • Using the Configuration File You can include all the environment variables in a configuration file and invoke FTP as follows: # ftp -z config=config_filename server_name • Using the Command Line ftp -z debug=2 -z secure -z logfile=/tmp/ssl.log -z\ CAfile=/var/opt/ftp/CA-Certs/ca-cert.
key=/etc/ftpd/security/ftpd-rsa-key.pem -z CAfile=/etc/ftpd/security/ftpd-rsa-ca.pem • Using the Configuration File Specify the TLS configuration file in the FTP service entry in the /etc/ inetd.conf file. Following is the FTP service entry in the /etc/inetd.conf file: ftp stream tcp6 nowait root /usr/lbin/ftpd ftpd -l -L -a -z usetls -z config=/etc/ftpd/security/tls.conf Following are the contents of the /etc/ftpd/security/tls.
ftp -z CAfile=/etc/ftpd/security/ca.pem -z cert=/home/user1/certificate.pem -z key=/home/user1/private-key.pem • Using the Configuration File To start the FTP client using a configuration file, run the following command: ftp -z config= where: 5. config-file Specifies the name of the configuration file. server-name Specifies the name of the server to which date must be transferred.
same system. The advantage of virtual FTP support is that the identity of the machine is hidden. Additionally, this feature enables a single machine to act as multiple FTP servers for multiple domains. Figure 1 shows a graphical representation of an FTP server, ftp.domain.com, hosting two virtual domains, ftp.animals.com and ftp.flowers.com. Figure 1 Structure of an FTP Server Hosting Two Virtual Domains ftp.animals.com (Virtual Domain 1) ftp.domain.com (FTP Server) ftp.flowers.
NOTE: A sample configuration file exists in the /usr/newconfig/etc/ftpd/examples directory. Example 1 The /etc/ftpd/ftpserver Configuration File Entry The following example shows a possible entry in the /etc/ftpd/ftpservers configuration file: 123.123.123.123 /etc/ftpd/somedomain In this example, when an FTP client connects to the server using the IP address 123.123.123.
The virtual address allow usernameand virtual address deny username directives These directives are used to allow or deny real and guest users. They can be used in the /etc/ftpd/ftpaccess file and the virtual domain specific ftpaccess file. virtual address allow username [ username ... ] virtual address deny username [ username ... ] The virtual address private directive This directive is used to deny anonymous FTP login. By default, anonymous users are allowed to log in a virtual FTP setup.
NOTE: The virtual address logfile path directive does not require the virtual address root directive. This directive overrides the logfile path directive. If the /etc/ftpd/ftpaccess file has the logfile path directive but does not have the virtual address logfile path directive, then the logfile path directive does not affect the behavior of the ftpd(1M) daemon. The virtual address hostname string directive This directive is used to change the default hostname of the FTP server.
NOTE: The virtual address incmail emailaddress directive does not require the virtual address root path directive. This directive overrides the incmail emailaddress directive. If the master /etc/ftpd/ftpaccess configuration file has the incmail emailaddress directive but does not have the virtual address incmail emailaddress directive, the incmail emailaddress directive does not affect the behavior of the ftpd(1M) daemon.
The virtual address private directive This directive is used to deny anonymous access to virtual FTP setup. This directive can also be used in the master /etc/ftpd/ftpaccess file. The root path directive This directive is used to allow anonymous FTP access in a virtual FTP setup. The banner path directive This directive is used to display the banner message. This directive is used in the /etc/ ftpd/ftpacess file.
NOTE: Do not use the virtual address incmail emailaddress directive in the virtual domain's ftpaccess file because it does not have any effect. The mailfrom emailaddress directive This directive is used to change the sender's email address for anonymous upload notifications. This directive is used in the /etc/ftpd/ftpaccess file. NOTE: Do not use the virtual address mailfrom emailaddress directive in the virtual domain's ftpaccess file because it does not have any effect.
permission for the appropriate ftpgroups file to modify the access group information. For more information, type man 4 ftpgroups at the HP-UX prompt. New Clauses in the /etc/ftpd/ftpaccess File The following new clauses are added in the /etc/ftpd/ftpaccess file: • The email-on load Clause You can use this clause to specify email addresses for anonymous upload notifications and also to specify the email address of the sender. By default, the address of the sender is specified as wu-ftpd.
Following are examples of the email-on-load feature: ◦ mailserver abc.com This specifies the name of a mail server that accepts upload notifications for the FTP daemon. You can use this option to notify any user of anonymous uploads. ◦ incmail def@abc.com This specifies the email addresses to be notified of anonymous uploads. ◦ mailfrom ghi@abc.com This specifies the sender’s email address for anonymous upload notifications.
timeout maxidle timeout RFC931 Following are some examples for the timeout clause: ◦ timeout idle 200 This displays the message Current IDLE time limit is 200 seconds; max 7200 ◦ timeout maxidle 6200 This displays the message Current IDLE time limit is 200 seconds; max 6200 ◦ timeout RFC931 0 This disables RFC 931-based authentication because 0 is specified. • Enhanced DNS Extensions You can use this feature to refuse (or override) an FTP session when a reverse DNS lookup fails.
NOTE: • You cannot control the reported address in an IPv6 environment. PORT and PASV Data Connection This feature enables the site administrator to selectively allow PORT and PASV data connections. Usually a connection is not established if the remote IP address of the data connection does not match the remote IP address of the control connection data. You can specify multiple passive addresses to handle complex or multi-gateway networks.
NOTE: For all these clauses, you must copy the libraries /usr/lib/libnss_files.1 and /usr/lib/libdld.2 to the /usr/lib directory of the current environment. • Virtual Server You can use the virtual server clauses to restrict user access to both the virtual and non-virtual domains. Additionally, you can use the options specified in the virtual clause to display the virtual host name. The syntax for the virtual clause is as follows: virtual
allow [ username ...• Default Host Name This feature defines the default host name of the FTP server that is displayed in the greeting message. If you do not specify this clause, the default host name of the local machine is used. The syntax for the specifying the default host name is as follows: hostname Example 3 The hostname Clause An example of the hostname clause is as follows: hostname telnet2.123.com This clause displays the default host name (telnet2.123.
• Treatment of UIDs and GIDs as Guests This feature allows you to force the user IDs (UIDs) and group IDs (GIDs) in a range to be treated as guests. The syntax for treating UIDs and GIDs as guests is as follows: guestuser [ username ... ] realgroup [ groupname ... ] realuser [ username ... ] • Upload and Download Ratios You can set the upload and download ratio to limit the user’s ability to upload and download files. By default, a ratio is not set.
defumask entry, use umask as the default for classes that do not have a defumask entry. The syntax for the defumask clause is as follows: defumask umask [ class ] Example 6 The defumask Clause The following are some examples for the defumask clause: defumask 0177 defumask 0133 ClassA This clause creates files with the permission -rw-r--r-- for a user of ClassA. For other users, files are created with the permission -rw-------.
Example 8 The anonymous-root Clause The following are examples of the anonymous-root clause: anonymous-root /home/ftp anonymous-root /home/localftp localnet The first example changes the root directory of all the anonymous users to the directory /home/ftp, the anonymous user’s current working directory being the home directory. If an FTP user exists in the /home/ftp/etc/passwd file, the user’s current working directory is the home directory.
New Feature Related to Data Transfer The following lists the data transfer features: • For statistical purposes, you can track the total bytes of data transferred. Also, you can limit the number of data bytes that a user, in any given class, can transfer. You can specify a directive in the /etc/ftpd/ftpaccess file to limit the number of bytes incoming, outgoing, or both.
Table 3 New Options in WU-FTPD 2.6.1 (continued) Option Description -w and -W This option determines if user logins must be recorded in the /var/adm/wtmp and /var/adm/btmp files. -X This option does not save the output created by the -i and -o options to the /var/ adm/syslog/xferlog file but writes to the /var/adm/syslog/syslog.log file. -I This option enables the use of Identification Protocol (RFC1413) to attempt to determine the username on the client.
Example 10 ERPT Command Output for IPv6 and IPv6 Connections The following displays the output for the EPRT command for both IPv6 and IPv6 connections. For IPv4: ------> EPRT 1 132.235.1.2 50934 For IPv6: ------> EPRT ◦ 2 fe80::260:b0ff:fec1:7b2f 50934 EPSV - Extended Passive This command requests a server to listen on a data port and wait for a connection. The response to this command includes only the TCP port number of the listening connection.
Example 13 LPASV Command Output The following displays the output for the LPASV command: ftp> passive Passive mode on. -------> LPSV 228 Entering Long Passive Mode (6,16,254,128,0,0,0,0,0,0, 2,96,176,255,254,193,123,47,2,134,7) NOTE: The FTP client must use the -l option to use the LPSV and LPRT commands. The FTP session command longaddr toggles the use of the LPRT (extended port) and LPSV (extended passive) commands. For more information on the -l option, type man 1 ftp at the HP-UX prompt.
HP-Specific Features HP has introduced the following features in WU-FTPD 2.6.1: • Command-Line Options Following are the options included in WU-FTPD 2.6.1: ◦ -m number_of_tries Specifies the number of tries for a bind() socket call. ◦ -n nice_value Sets the nice value for an WU-FTPD process. When using this option, ensure that the nice clause in the /etc/ftpd/ftpaccess file (see ftpaccess(4)) is not set. ◦ -B Sets the buffer size of the data socket to blocks of 1024 bytes.
Compatibility Information Customers currently using WU-FTPD 2.4 do not need to modify their configuration file. WU-FTPD 2.4 is compatible with this release of WU-FTPD. However, HP recommends you to use the WU-FTPD 2.6.1 configuration file delivered with this release to effectively use the new features and changes incorporated in WU-FTPD 2.6.1. You must modify your configuration settings only for the following instances: • If you are upgrading to WU-FTPD 2.6.
in the /usr/contrib/wuftpd/save_custom/backup directory and enables the higher version of WU-FTPD by linking the new files to existing file locations. The enable_inet -r wuftpd command enables you to revert to the previous version of WU-FTPD. To enable the newer version of WU-FTPD, you must run the enable_inet wuftpd command on the HP-UX prompt. The enable_inet status wuftpd command displays the currently active version of WU-FTPD.
Manpages Table 4 describes the manpages distributed with the WU-FTPD 2.6.1 depot. Table 4 WU-FTPD 2.6.1 Manpages Manpage Description ftp(1) User interface to the file transfer program ftpd(1M) Server for the Defense Advanced Research Project Agency (DARPA) Internet file transfer protocol.
The README files for WU-FTPD 2.6.1 are available in the /usr/share/doc directory. Defects Fixed in This Release This section describes the WU-FTPD 2.6.1 defects fixed in the HP-UX 11i v1 and 11i v3 operating systems. It addresses the following topics: • “Defects Fixed in the HP-UX 11i v1 Operating System” (page 45) • “Defects Fixed in the HP-UX 11i v3 Operating System” (page 49) Defects Fixed in the HP-UX 11i v1 Operating System Table 5 describes the defects fixed in the HP-UX 11i v1 operating system.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae21322 In an FTP session, when the command ls is executed with the pathname of any file followed by /., FTP displays the long listing of the file instead of displaying the error message not found. For instance, when the ls /etc/passwd/. command is issued in an FTP session, the long listing of the file /etc/passwd is displayed. JAGae12022/ QXCR1000512388 JAGae62972/ QXCR1000521254 In WU-FTPD 2.6.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGaf35480/ ftpd(1M) always uses the primary interface address of the system for the data connection instead of using the address on which the control connection request is received. QXCR1000539305 JAGaf33866/ QXCR1000538860 JAGaf32059/ QXCR1000538330 JAGae79698/ QXCR1000525558 In an NFS-mounted file system, which is full, the ftp(1) get or mget command fails without displaying any error message.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae22345/ ftpd(1M) does not clean up certain environment variables when started in stand-alone mode. QXCR1000513734 Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.010) JAGag20313/ QXCR1000572236 The directives related to virtual hosting feature are not documented properly in the documentation available for ftpaccess(4). JAGag03440/ ftpd(1M) has problem with the guestserver clause.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description QXCR1000965335 When the ftpwho(1) command is run, it does not return the expected process information for each connected ftp session. QXCR1000576150 The default umask for ftpd(1M) is set to 022 instead of 027 as mentioned in the manpage. Due to this ftpd(1M) does not behave as expected in certain account configurations. Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.
Table 6 Defects Fixed in the HP-UX 11i v3 Operating System (continued) Identifier Description QXCR1000545220 When the ftpd daemon logs file transfers in the /var/adm/syslog/ xferlog.log file, filenames containing 8-bit ASCII characters may be incorrectly logged. QXCR1000867024 The exceptions in handling file names logged in the /var/adm/syslog/ xferlog.log file are not documented in the xferlog(5) man page. QXCR1000895696 WU-FTPD 4.0 of 2.6.1 does not create the /etc/ftpd directory on installation.
