WU-FTPD 2.6.
Legal Notices © Copyright 2001, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents 1 WU-FTPD 2.6.1 Release Notes.....................................................................4 Announcement.........................................................................................................................4 What is in this version...............................................................................................................4 WU-FTPD 2.6.1 features............................................................................................................
1 WU-FTPD 2.6.1 Release Notes This document discusses the most recent product information pertaining to WU-FTPD 2.6.1. It also discusses how to install WU-FTPD 2.6.1 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • “Announcement” (page 4) • “What is in this version” (page 4) • “WU-FTPD 2.6.
WU-FTPD 2.6.1 features Following are the WU-FTPD 2.6.1 features supported on the HP-UX 11i v1, HP-UX 11i v2 , and HP-UX 11i v3 operating systems: NOTE: Except for the TLS/SSL feature, all the features discussed in this section are available in WU-FTPD 2.6.1 on the HP-UX 11i v1 operating system. Support for TLS/SSL The Transport Layer Security/Secure Socket Layer (TLS/SSL) feature enables the HP-UX FTP product to use the security features provided by OpenSSL.
the server and, if required, the client, and to provide session-level encryption and confidentiality for the entire session. • Hash algorithms. These algorithms are a set of one-way functions that accept a variable length input, and, after mathematical processing, produce a fixed length output. The transformations of the data produce a fingerprint of the input. The minor changes to the input appear as large changes in the output. Popular hash algorithms include SHA-1, MD5, and RIPEMD.
• Organizational unit (OU), such as a department within an organization • City or location (L) where an organization is located • State or province (SP) where the city is located • Country (C) in the International Organization for Standardization (ISO) format (such as U.S.) The DN is a combination of the different certificate information.
$RET=$?; print "Certificate is in newcert.pem, private key is in newkey.pem\n" } elsif (/^-newreq$/) { system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS"); 2 $RET=$?; print "Request is in newreq.pem, private key is in newkey.pem\n"; } elsif (/^-newreq-nodes$/) 1 Replace this line with the following: system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS"); 2 Replace this line with the following: system ("$REQ -new -nodes -keyout newkey.pem -out newreq.
• The ./demoCA/cacert.pem file. This is the CA certificate file you can exchange with communication partners for TLS authentication or verification. • The ./demoCA/private/cakey.pem file. This is the private key file of the CA and is passphrase-protected. You can use this private key to sign or revoke certificates. NOTE: b. Do not exchange the private key file with communication partners. Generate the certificate and the key pair for the FTP server: $ ./CA.
1. Create DSA parameters: openssl dsaparam -out dsap.pem 1024 2. Create a DSA CA certificate and private key: openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem 3. Create the CA directories and files: /opt/openssl/misc/CA.pl -newca Enter cacert.pem when prompted for the CA file name. 4. Create a DSA certificate request and private key (a different set of parameters can optionally be created first): openssl req -out newreq.pem -newkey dsa:dsap.pem 5. Sign the request: CA.
ftp-ssl-ncf FTP TLS enhancement software is installed in the system. Run the following command to ensure that the software is installed: # swlist -l product | grep ftp-ssl-ncf The following output is displayed if the software is installed in the system: ftp-ssl-ncf B.11.23.01.001 ftp-ssl-ncf web release For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product.
ftp-ssl-ncf FTP TLS enhancement software is installed in the system. Run the following command to ensure that the software is installed: # swlist -l product | grep ftp-ssl-ncf The following output is displayed if the software is installed in the system: ftp-ssl-ncf B.11.23.01.001 ftp-ssl-ncf web release For the HP-UX 11i v3 operating system, the WU-FTPD 2.6.1 software bundle provides the FTP server and the SSL libraries as a single product.
FTP_SSL_CA_FILE Specifies the CA certificate. FTP_SSL_CA_PATH Specifies the pathname for CA certificate. FTP_SSL_CRL_FILE Specifies the CRL file location for the FTP client. FTP_SSL_CRL_PATH Specifies the CRL file pathname. FTP_TLS_PASSWD Specifies the password to decrypt the PEM key file(s). NOTE: For information on the default values, see the ftp(1) manpage.
a. b. c. 2. 3. X.509 RSA Certificate Authority (CA). X.509 RSA server certificate signed by the CA certificate (certificate file). X.509 RSA private key associated with the RSA server certificate (key file). Copy the CA file, certificate file, and key file to the /etc/ftpd/security directory in the server, for example, /etc/ftpd/security/ca.pem, /etc/ftpd/security/ ftpd-rsa-cert.pem, and /etc/ftpd/security/ftpd-rsa-key.pem, respectively.
export FTP_SSL_CERT_FILE=/home/user1/certificate.pem export FTP_SSL_KEYT_FILE=/home/user1/private-key.pem • Using Command-Line Options To start the FTP client using command-line options, run the following command: ftp -z CAfile=/etc/ftpd/security/ca.pem -z cert=/home/user1/certificate.pem -z key=/home/user1/private-key.pem • Using the Configuration File To start the FTP client using a configuration file, run the following command: ftp -z config= where: 5.
Figure 1 Structure of an FTP Server Hosting Two Virtual Domains ftp.animals.com (Virtual Domain 1) ftp.domain.com (FTP Server) ftp.flowers.com (Virtual Domain 2) In Figure 1, a user connected to the FTP server ftp.domain.com through the domain ftp.animals.com receives a different banner and directory than a user who is connected to the same server through the domain ftp.flowers.com.
• virtual address private • virtual address { root|banner|logfile } path • virtual address { hostname|email } string • virtual address incmail emailaddress • virtual address mailfrom emailaddress Usage This section describes the functionality of the various directives. The virtual address allow username and virtual address deny username directives These directives are used to allow or deny real and guest users.
NOTE: The virtual address logfile path directive does not require the virtual address root directive. This directive overrides the logfile path directive. If the /etc/ftpd/ftpaccess file has the logfile path directive but does not have the virtual address logfile path directive, then the logfile path directive does not affect the behavior of the ftpd(1M) daemon. The virtual address hostname string directive This directive is used to change the default hostname of the FTP server.
NOTE: The virtual address mailfrom emailaddress directive does not require the virtual address root path directive. This directive overrides the mailfrom emailaddress directive. If the master /etc/ftpd/ftpaccess configuration file has the mailfrom emailaddress directive but does not have the virtual address mailfrom emailaddress directive, the mailfrom emailaddress directive does not affect the behavior of the ftpd(1M) daemon.
NOTE: Do not use the virtual address logfile path directive in the ftpaccess file of the virtual domain because the directive does not have any effect. The hostname some.host.name directive This directive is used to change the hostname string. This directive is used in the /etc/ftpd/ ftpaccess file. NOTE: Do not use the virtual address hostname some.host.name directive in the virtual domain's ftpaccess file because it does not have any effect.
You must ensure that the files referenced after changing the root directory exist in the virtual server (similar to the scenario for setting up an anonymous account). The privatepw utility The administrative utility, /usr/bin/privatepw, is used to update the group access file information in the /etc/ftpd/ftpgroups file. The administrator can add, delete, and list enhanced access group information required for the commands SITE GROUP and SITE GPASS.
Following are examples of the email-on-load feature: ◦ mailserver abc.com This specifies the name of a mail server that accepts upload notifications for the FTP daemon. You can use this option to notify any user of anonymous uploads. ◦ incmail def@abc.com This specifies the email addresses to be notified of anonymous uploads. ◦ mailfrom ghi@abc.com This specifies the sender’s email address for anonymous upload notifications.
• Enhanced DNS Extensions You can use this feature to refuse (or override) an FTP session when a reverse DNS lookup fails. The syntax for the enhanced DNS extension feature is as follows: dns refuse_mismatch [ override ] dns refuse_no_reverse [ override ] dns resolveroptions • Reported Address Control This feature enables you to impose control on the address reported in response to a PASVcommand and on the TCP port numbers that can be used for a passive data connection.
messages for incoming and outgoing transfers to the /var/adm/syslog/syslog file. If you do not specify this option, the messages are written to the /var/adm/syslog/xferlog file. The general syntax to redirect messages is as follows: log sysloglog syslog+xferlog • File Retrieval You can specify certain clauses to control whether a real or guest user is allowed access to areas on the FTP site other than their home directories.
• Default Host Name This feature defines the default host name of the FTP server that is displayed in the greeting message. If you do not specify this clause, the default host name of the local machine is used. The syntax for the specifying the default host name is as follows: hostname Example 3 The hostname Clause An example of the hostname clause is as follows: hostname telnet2.123.com This clause displays the default host name (telnet2.123.
ul-dl-rate [ class ...] dl-free [ class ...] dl-free-dir [ class ...] Example 5 The ul-dl-rate Clause An example for the ul-dl-rate clause is as follows: ul-dl-rate 2 For every 1 byte of data that is uploaded, the ftp server allows 2 bytes of data to be downloaded. • The nice Clause The nice clause allows you to modify the nice value of the FTP server if the remote user is a member of the named class.
Example 7 The site-exec-max-lines Clause The following are some examples for the site-exec-max-lines clause: site-exec-max-lines 200 remote site-exec-max-lines 0 local site-exec-max-lines 25 Example 7 contains three example statements for the site-exec-max-lines clause. The first example limits the output from SITE EXEC (therefore SITE INDEX) to 200 lines for remote users. The second example specifies no limit for local users. The third example sets a limit of 25 lines for all other users.
Enabling the Identification Protocol (RFC 1413) The Identification Protocol, /usr/bin/ident, enables you to determine the identity of a user of a particular TCP connection. For a particular TCP port number pair, identd returns a character string that identifies the owner of that connection on the system of the server. You can use the -I daemon option to enable RFC 1413-based authentication. By default, this authentication is disabled.
Table 3 New Options in WU-FTPD 2.6.1 (continued) Option Description -s and -S These options run the daemon in standalone operation mode. -c and These options override the control and the data port numbers that is used by the daemon. -C -U For the HP-UX 11i v1 operating system, this option replaces the sendfiletransfer option in the /etc/ftpd/ftpaccess configuration file.
• Implementation of RFC 1639 (FTP Operation Over Big Address Records (FOOBAR)) This RFC describes a convention for specifying an address other than the default data port for the connection over which data is transferred. The commands to accommodate FTP operations over network and transport protocols are specified as follows: ◦ LPRT This command enables you to specify a long address for the transport connection.
HP-Specific features HP has introduced the following features in WU-FTPD 2.6.1: • Command-Line Options Following are the options included in WU-FTPD 2.6.1: ◦ -m number_of_tries Specifies the number of tries for a bind() socket call. ◦ -n nice_value Sets the nice value for an WU-FTPD process. When using this option, ensure that the nice clause in the /etc/ftpd/ftpaccess file (see ftpaccess(4)) is not set. ◦ -B Sets the buffer size of the data socket to blocks of 1024 bytes.
You must modify your configuration settings only for the following instances: • If you are upgrading to WU-FTPD 2.6.1 on an HP-UX 11i v1 operating system, you must consider the following: ◦ The sendfiletransfer option in the /etc/ftpd/ftpaccess configuration file is replaced with the -U option in WU-FTPD 2.6.1. ◦ The suppresshostname and suppressversion options in WU-FTPD 2.4 are replaced with the new greeting option in WU-FTPD 2.6.1. For more information on WU-FTPD 2.4, see the WU-FTPD 2.
Verifying the WU-FTPD 2.6.1 installation To verify whether the WU-FTPD 2.6.1 depot is installed successfully on your system, enter the following command at the HP-UX prompt: # swlist -l bundle | grep bundle_name If WU-FTPD 2.6.1 is installed properly, the following output is displayed: • On an HP-UX 11i v1 operating system WU-FTP-261 B.11.11.01.014 WU-FTPD-2.6.1 special release upgrade • On an HP-UX 11i v2 operating system ftp-ssl-ncf • B.11.23.01.
Table 4 WU-FTPD 2.6.1 Manpages (continued) Manpage Description ftpusers(4) File that contains the local user accounts to which remote logins are rejected by ftpd(1M) ftphosts(4) File that allows or denies access to certain accounts from various hosts xferlog(5) File that contains logging information from the FTP server daemon Product documentation For more information on configuring and administering FTP, see the HP-UX Remote Access Services Administrator’s Guide at www.hp.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae21322 In an FTP session, when the command ls is executed with the pathname of any file followed by /., FTP displays the long listing of the file instead of displaying the error message not found. For instance, when the ls /etc/passwd/. command is issued in an FTP session, the long listing of the file /etc/passwd is displayed. JAGae12022/ QXCR1000512388 In WU-FTPD 2.6.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGae79698/ When ftp(1M) tries to transfer a file to an NFS-mounted directory in a system where the disk space is full, ftpd(1M) displays the following error message, even though transfer operation has failed: QXCR1000525558 226 Transfer complete Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.007) JAGaf82539/ ftpd(1M) does not correctly process certain configuration information.
Table 5 Defects Fixed in the HP-UX 11i v1 Operating System (continued) Identifier Description JAGaf91258/ Certain inputs to ftpd(1M) can cause huge delay in the response. QXCR1000559419 JAGaf71500/ QXCR1000551539 ftpd(1M) does not list all the files when a file name glob is used against a directory listing command and the number of files passing the file name glob is more than 1000. Defects fixed in WU-FTPD 2.6.1 (B.11.11.01.012) JAGaf91565/ Certain inputs to ftp(1) can cause huge delay in response.
Table 6 Defects Fixed in the HP-UX 11i v3 Operating System (continued) Identifier Description QXCR1000508767 The ftp client and ftpd daemon do not support secure data transfer. QXCR1000545220 When the ftpd daemon logs file transfers in the /var/adm/syslog/ xferlog.log file, filenames containing 8-bit ASCII characters may be incorrectly logged. QXCR1000867024 The exceptions in handling file names logged in the /var/adm/syslog/ xferlog.log file are not documented in the xferlog(5) man page.
