|
Otros manuales para este modelo:
Resumen del manual
Secure FTP on MPE/iX
Page 6 of 28
FTP/iX is based on RFC 959, which does not address encryption or user authentication. If these two security areas
are essential for FTP file transfers we offer some solutions in the Alternatives section. Please note that modern user
authentication is beyond the scope of this paper. However, FTP/iX now offers better security than prescribed by
RFC 959 in several key areas, which are described below and, in detail in Section 6.
• User Restriction: The FTP/iX server follows the current user ID/password authentication mechanism to
validate users; however, this enhancement provides system managers the ability to restrict FTP access to
specified users, even if they know the password. The configuration file, FTPUSERS.ARPA.SYS, can be
populated with user names who will be denied logon access to the FTP/iX server. So, users appearing in
this file cannot logon to FTP, while users who are not listed in this file are entitled to normal FTP logon
authentication. All other MPE/iX security mechanisms are unaltered. An exception to this rule is that users
with SM capability bypass the FTPUSERS configuration file, and thus are permitted to logon to the FTP/iX
server (assuming a valid user name and password). Absence of the FTPUSERS file, which is the default,
indicates that no users are being restricted other than normal logon requirements. Any changes in this file
will get reflected in the next FTP login session.
• File Retrieval Denial: Under normal circumstances, there are no restrictions imposed by FTP/iX for
retrieving files. The MPE/iX operating system’s security may prevent file access but, up until now, FTP did
not impose its own rules. The NORETRIEVE option in the new FTPACCES.ARPA.SYS file boosts the inherent
security of FTP/iX by enabling the system administrator to restrict access to one or more files independent of
the FTP user ID, and independent of MPE’s security. FTPACCES is a configuration file which can contain a
list of files which all FTP users will be denied access. It names files, or groups of files (i.e. files contained in
groups, accounts, or directories), which will not be transferred by FTP/iX regardless of the underlying MPE
security. As with the FTPUSERS file, users with SM capability are exempted from this enhanced file security
rule. Absence of the FTPACCES file, which is the default, indicates that there are no additional file
restrictions enforced by the FTP/iX server. Any changes to this file will get reflected in the next FTP logon
session.
l CHROOT: The chroot FTPACCES.ARPA.SYS configuration option forces a specified user to be confined to a
single group or directory (and below).when logging on to the FTP/iX server. If chroot is in effect then the FTP
user is limited to this location and directories below it. This option limits the inbound FTP commands cd, put,
get, mput, mget and dir to the configured root. Users will be unable to move up beyond the specified root
location. In addition, users will not be permitted to reference files outside of their chroot location. As with the
first two enhancements, this restriction does not apply to users with SM capability. By default, the FTPACCES
file does not exist and thus all users are authorized to name and access all files within MPE’s security
guidelines.
l Restriction on File Permissions: New options "PERMISSION_DELETE", "PERMISSION_OVERWRITE"
and "PERMISSION_RENAME" can be set in the existing configuration file, SETPARMS.APRA.SYS. When
these options are enabled the corresponding action is denied. For instance, if PERMISSION_RENAME is set
to ‘ON’, renaming of files, within the context of FTP/iX, is not allowed, regardless of the corresponding MPE
file security. The default setting for these options is ‘OFF’, and these restrictions do not apply to users with SM
capability.
• Logs commands and file transfer statistics: LOG_COMMANDS and LOG_TRANSFERS are new
options in the SETPARMS.ARPA.SYS configuration file which enable FTP commands and file transfer
logging. When these options are set to ON, the FTP client-server transactions and communications are
logged. Log messages are recorded in the file FTPLOG##.ARPA.SYS, where ## indicates a two digit
number in the range of 00 to 99.
• NETRC file: The NETRC file is an existing feature of the FTP client which facilitates automated logon to a
remote host. Prior to this enhancement, the FTP client required read access to NETRC to establish this
automated logon, which also meant that FTP users could read this file and gain password and user IDs. A
new security enhancement has been added to the FTP client so that it can still read the NETRC file, but MPE
security can deny read access to other users.
http://jazz.external.hp.com/papers/Securing-FTP-Whitepaper.html
7/18/2008
...Otros modelos de este manual:
Software - MPE/iX 6.5 Operating System (125.79 kb)
Software - MPE/iX 7.0 Operating System (125.79 kb)
Software - MPE/iX 7.5 Operating System (125.79 kb)