Securing FTP/iX

permission for the NETRC file.

ü Only one "default" entry is allowed per file.

Each of the tokens "machine", "login", "password" and "default" must match exactly, and must be in

lower-case.

Each token must be separated by any number of SPACE or TAB characters.

Each {string} identifier can be a double quoted string. This feature would be useful when a space is

embedded as part of a password, for example. Single quoted strings are not supported

machine "HPSYS" login "MGR.TELESUP" password "USERPASS,ACCTPASS"

and

machine HPSYS login MGR.TELESUP password USERPASS,ACCTPASS are equivalent.

The node name specified in the NETRC file is "CaSe SeNsItIvE" and must match the case of the node name

specified in the open command.

ü Any changes to this file will get reflected in the next FTP logon session.

ü Unencrypted passwords stored in a file like this constitute a security risk.

ACDs can be enforced on the

NETRCFILE. For e.g.,

:altsec NETRC.{home-group}.{account};access=(R,A,W,L:CR;X:AC)

6.4.2 Example

Consider the following entry in a NETRC file:

Machine “HPSYS" login "TEMPMGR.SYS" password "USERPASS,ACCTPASS"

This file should exist in the home group of TEMPMGR.SYS but will not have any permission other than the execute

permission as shown below:

:listfile netrc,security

*****************************************

FILE: NETRC.PUB.SYS

ACCOUNT ------ READ : ANY

WRITE : AC

APPEND : AC

LOCK : ANY

EXECUTE : ANY

GROUP -------- READ : ANY

WRITE : ANY

APPEND : ANY

LOCK : ANY

EXECUTE : ANY

SAVE : ANY

FILE --------- READ : ANY FCODE: 0

WRITE : ANY **SECURITY IS ON

APPEND : ANY ACD EXISTS

LOCK : ANY

EXECUTE : ANY

Page

Secure FTP on MPE/iX

7/18/2008

http://jazz.external.hp.com/papers/Securing

FTP

Whitepaper.html