oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add explanations for new features. Updated section on anonymous ftp

Browse Source 
setup.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@987 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1996-11-16 18:51:10 +00:00
parent 5f9548982e
commit 6bed98db4d
1 changed files with 122 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
appl/ftp/ftpd/ftpd.8
View File

@@ -67,10 +67,12 @@ Select the level of authentication required. Recognised values are:
.Bl -tag -width debug .Bl -tag -width debug
.It none .It none
Allows anyone to connect. Allows anyone to connect.
.It otp
Allows only OTP, kerberos authorized access and anonymous ftp.
.It safe .It safe
Allows only authorized access and anonymous ftp. Allows only kerberos authorized access and anonymous ftp.
.It user .It user
Allows only authorized access. Allows only kerberos authorized access.
.El .El
.It Fl d .It Fl d
Debugging information is written to the syslog using LOG_FTP. Debugging information is written to the syslog using LOG_FTP.
@@ -101,6 +103,8 @@ The default limit is 2 hours.
The inactivity timeout period is set to The inactivity timeout period is set to
.Ar timeout .Ar timeout
seconds (the default is 15 minutes). seconds (the default is 15 minutes).
.It Fl u
Set the initial umask to something else than the default 027.
.It Fl v .It Fl v
Verbose mode. Verbose mode.
.El .El
@@ -168,7 +172,7 @@ The case of the requests is ignored.
.It XRMD Ta "remove a directory (deprecated)" .It XRMD Ta "remove a directory (deprecated)"
.El .El
.Pp .Pp
The following commands are specified by ftpsec draft. The following commands are specified by the ftpsec draft.
.Bl -column Request -offset indent .Bl -column Request -offset indent
.It AUTH Ta "authentication/security mechanism" .It AUTH Ta "authentication/security mechanism"
.It ADAT Ta "authentication/security data" .It ADAT Ta "authentication/security data"
@@ -187,9 +191,14 @@ by the
SITE request. SITE request.
.Pp .Pp
.Bl -column Request -offset indent .Bl -column Request -offset indent
.It UMASK Ta change umask, e.g. ``SITE UMASK 002'' .It UMASK Ta change umask, (e.g.
.It IDLE Ta set idle-timer, e.g. ``SITE IDLE 60'' .Ic "SITE UMASK 002" )
.It CHMOD Ta change mode of a file, e.g. ``SITE CHMOD 755 filename'' .It IDLE Ta set idle-timer, (e.g.
.Ic "SITE IDLE 60" )
.It CHMOD Ta change mode of a file (e.g.
.Ic "SITE CHMOD 755 filename" )
.It FIND Ta quickly find a specific file with GNU
.Xr locate 1 .
.It HELP Ta give help information. .It HELP Ta give help information.
.El .El
.Pp .Pp
@@ -232,17 +241,16 @@ If Kerberos authentication is used, the user must pass valid tickets
and the principal must be allowed to login as the remote user. and the principal must be allowed to login as the remote user.
.It .It
The login name must be in the password data base, and not have a null The login name must be in the password data base, and not have a null
password (if kerberos is used the password field is not checked). password (if kerberos is used the password field is not checked). In
In this case a password must be provided by the client before any this case a password must be provided by the client before any file
file operations may be performed. operations may be performed. If the user has an OTP key, the response
If the user has an S/Key key, the response from a successful USER from a successful USER command will include an OTP challenge. The
command will include an S/Key challenge. The client may choose to respond client may choose to respond with a PASS command giving either a
with a PASS command giving either a standard password or an S/Key standard password or an OTP one-time password. The server will
one-time password. The server will automatically determine which type of automatically determine which type of password it has been given and
password it has been given and attempt to authenticate accordingly. See attempt to authenticate accordingly. See
.Xr skey 1 .Xr otp 1
for more information on S/Key authentication. S/Key is a Trademark of for more information on OTP authentication.
Bellcore.
.It .It
The login name must not appear in the file The login name must not appear in the file
.Pa /etc/ftpusers . .Pa /etc/ftpusers .
@@ -287,44 +295,111 @@ user.
In order that system security is not breached, it is recommended In order that system security is not breached, it is recommended
that the that the
.Dq ftp .Dq ftp
subtree be constructed with care, following these rules: subtree be constructed with care, consider following these guidelines
for anonymous ftp.
In general all files should be owned by
.Dq root ,
and have non-write permissions (644 or 755 depending on the kind of
file). No files should be owned or writable by
.Dq ftp
(possibly with exception for the
.Pa ~ftp/incoming ,
as specified below).
.Bl -tag -width "~ftp/pub" -offset indent .Bl -tag -width "~ftp/pub" -offset indent
.It Pa ~ftp .It Pa ~ftp
Make the home directory owned by The
.Dq root .Dq ftp
and unwritable by anyone. homedirectory should be owned by root.
.It Pa ~ftp/bin .It Pa ~ftp/bin
Make this directory owned by The directory for external programs (such as
.Dq root .Xr ls 1 ) .
and unwritable by anyone (mode 555). These programs must either be statically linked, or you must setup an
The program environment for dynamic linking when running chrooted.
.Xr ls 1 These programs will be used if present:
must be present to support the list command. .Bl -tag -width "locate" -offset indent
This program should be mode 111. .It ls
.It Pa ~ftp/etc Used when listing files.
Make this directory owned by .It compress
.Dq root When retrieving a filename that ends in
and unwritable by anyone (mode 555). .Pa .Z ,
The files and that file isn't present,
.Xr passwd 5 .Nm
will try to find the filename without
.Pa .Z
and compress it on the fly.
.It gzip
Same as compress, just with files ending in
.Pa .gz .
.It gtar
Enables retrieval of whole directories as files ending in
.Pa .tar .
Can also be combined with compression. You must use GNU Tar (or some
other that supports the
.Fl z
and and
.Fl Z
flags).
.It locate
Will enable ``fast find'' with the
.Ic SITE FIND
command. You must also create a
.Pa locatedb
file in
.Pa ~ftp/etc .
.El
.It Pa ~ftp/etc
If you put copies of the
.Xr passwd 5
and
.Xr group 5 .Xr group 5
must be present for the files here, ls will be able to produce owner names rather than
.Xr ls numbers. Remember to remove any passwords from these files.
command to be able to produce owner names rather than numbers.
The password field in
.Xr passwd
is not used, and should not contain real passwords.
The file The file
.Pa motd , .Pa motd ,
if present, will be printed after a successful login. if present, will be printed after a successful login.
These files should be mode 444.
.It Pa ~ftp/pub .It Pa ~ftp/pub
Make this directory mode 777 and owned by Traditional place to put whatever you want to make public.
.Dq ftp . .El
Guests
can then place files which are to be accessible via the anonymous If you want guests to be able to upload files, create a
account in this directory. .Pa ~ftp/incoming
directory owned by
.Dq root ,
and group
.Dq ftp
with mode 730 (make sure
.Dq ftp
is member of group
.Dq ftp ) .
The following restrictions apply to anonymous users:
.Bl -bullet
.It
Directories created will have mode 700.
.It
Uploaded files will have mode 000.
.It
These command are not accessible:
.Ic DELE , RMD , RNTO , RNFR ,
.Ic SITE UMASK ,
and
.Ic SITE CHMOD .
.It
Filenames must start with an alpha-numeric character, and consist of
alpha-numeric characters or any of the following:
.Li \&+
(plus),
.Li \&-
(minus),
.Li \&=
(equal),
.Li \&_
(underscore),
.Li \&.
(period), and
.Li \&,
(comma).
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width /etc/ftpwelcome -compact .Bl -tag -width /etc/ftpwelcome -compact
@@ -343,7 +418,7 @@ Login access for Kerberos.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr ftp 1 , .Xr ftp 1 ,
.Xr skey 1 , .Xr otp 1 ,
.Xr getusershell 3 , .Xr getusershell 3 ,
.Xr syslogd 8 , .Xr syslogd 8 ,
.Sh STANDARDS .Sh STANDARDS