--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments



Since I restricted access for local users to my AIX boxes users have a problem with placing files on the boxes. The files needs to be accessible for local users for compiling, deploying or whatever purpose they are intended for. This is more complex than it seems, we are talking multiple users working at the same time on the same project, placing and editing files all the time. When these files are not changed to belong to a local or one user in common a permission and owner nightmare will occur. With this in mind I had to change the security model in still compliant with the security policy and that development has a workable environment. The security model allows no login from local (fictional) users accounts, and real users (employees) has to login through ssh, while being authenticated through LDAP. Sudo rights is given only to some specific users who know what they are doing and every sudo command gets logged to the SYSLOG server which is only available to the IT-department.

SSH Allow

First step is to make sure only LDAP authenticated users are allowed to login. To enforce this policy before this problem arose, local accounts were simply set to not be able to log on, not local nor remote. This still makes it possible to su to another user, but logging in directly is prohibited. Now, with this new requirements, this is not enough anymore. Now to be able to log on through ssh you have to be member of a group of the same LDAP directory. To configure this, open sshd_config and add these lines at the end of the file:

sjoerd@aixbox:/home/sjoerd>sudo cat /etc/ssh/sshd_config | grep -i group
# Only allow users to use ssh when member of this group
AllowGroups ssh-access

This group should be in the LDAP directory. With us, this group is configured as everyones primary group so it's an excellent group to use for this purpose.

Allow Remote Login

As said before, previously, local accounts were prohibited from logging in to the box by setting their accounts accordingly. This is not necessary anymore so you should change that so they can login:

sudo chuser rlogin=true <username>

Of course, before you do this make sure the users cannot login through any service except the ones you want. In this document I described the way to disable all unnecessary services from your AIX box.

Enable FTP

Now it's time to enable FTP again, because I disabled all unnecessary services from running as described here. This means I have to enable the FTP service (subserver) in the inetd subsystem, start the inetd subsystem and make sure it starts after a reboot.
Enable FTP:

chsubserver -a -v ftp -p tcp

Start inetd subsystem:

startsrc -s inetd

Start inetd after reboot:

chrctcp -a inetd

Start inetd now and after reboot:

chrctcp -S -a inetd

Refresh inetd with new settings after you've changed config files etc:

refresh -s inetd

Configure FTP

To allow a single host create a file called /etc/ftpaccess.ctl and:

sjoerd@aixbox:/home/sjoerd>cat /etc/ftpaccess.ctl 

NOTE: There is a <space> directly after the host. I found the configuration does not work if this is not set.
In case you want to restrict users from the ftp services you can create a file called /etc/ftpusers and:

sjoerd@aixbox:/home/sjoerd>cat /etc/ftpusers

These users are now restricted from logging in through ftp. Note that this file is case sensitive.



Enter your comment. Wiki syntax is allowed:
aixftp.txt · Last modified: 2019/11/18 12:21 (external edit)