Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 5 Remote Access Security Administration

Overview of Internet Services and Remote Access Services


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

This section provides brief descriptions of the authentication or authorization mechanism used by various Internet Services, and the security risks.

HP-UX Internet Services is documented in the HP-UX Internet Services Administrator's Guide and Using HP-UX Internet Services at: http://www.docs.hp.com/en/netcom.html#Internet%20Services

Also see the HP-UX Remote Access Services Administrator's Guide at:


The HP-UX Internet Services provides authentication, either through password verification or authorization that is set up in a configuration file. See Table 5-1 for a list of Internet Services components and their access verification or authorization mechanism.

Table 5-1 Internet Services Components and Access Verification, Authorization, and Authentication

Internet Services ComponentAccess Verification, Authorization, or Authentication Mechanism
ftp (file transfer)Password verification. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See ftp(1).
rcp (remote copy)Entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See rcp(1).
rdist (remote file distribution)Entry in $HOME/.rhosts or /etc/hosts.equiv file. See rdist(1).
remsh, rexec (execute from remote shell)Entry in $HOME/.rhosts or/etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See remsh(1).
rlogin (remote login)Password verification or entry in $HOME/.rhosts or /etc/hosts.equiv file. Also can use Kerberos authentication mechanism defined in /etc/inetsvcs.conf. See rlogin(1).
telnet (remote login using TELNET protocol)Password verification. If the TAC User ID option is enabled by the telnetd daemon, telnet uses $HOME/.rhosts or /etc/hosts.equiv file. See telnet(1) and telnetd(1M).


NOTE: Information (including passwords) is passed between two systems in clear text and is not encrypted. Use Internet Services only between hosts that are well-known and defined to each other and within a private internal network behind a firewall. When communicating over an untrusted network, secure the communications using IPSec or Kerberos

Remote Access Services connect remote systems in a network. By default, the remote access services function in a nonsecure environment. To function in a secure environment, enable the Kerberos V5 network authentication. In a nonsecure environment, you must have a login name and password to access a remote system, and the login name is not checked for authentication and authorization. In a secure environment, you need not have a login name and password. When you attempt to connect to a remote system, the Kerberos protocol checks if the user is allowed to access the remote system.

Securing ftp

An unauthorized user might try to gain access to a system by using the ftp command. Following are some suggestions to prevent this problem:

  • Enable ftp logging in /etc/inetd.conf by using the ftpd -l command.

  • Review the ftp logs in /var/adm/syslog/syslog.log and /var/adm/syslog/xferlog for unusual remote access attempts.

    See syslogd(1M) and xferlog(5).

  • Deny ftp access to guest, root, and other accounts by listing them in /etc/ftpd/ftpusers.

    See ftpusers(4).

  • Regularly search and remove users' ~/.netrc files. The .netrc file contains login, password, and account information used by the ftp autologin process, by the rexec() library routine, and by the rexec command.

    See netrc(4).

Securing Anonymous ftp

If a $HOME/.rhosts file is put into /home/ftp, then an unauthorized user could use rlogin to log in as the user, ftp. The .rhosts file specifies hosts and users that are allowed access to a local account using rcp, remsh, or rlogin without a password. For more information, see hosts.equiv(4).

Following are some suggestions to making anonymous ftp more secure:

  • Make sure that neither /home/ftp nor any of its children is writable:

    $chmod -R a -w /home/ftp

  • Make sure that the ftp entry in /etc/passwd is correctly configured:

    ftp:*:500:100:Anonymous FTP user:/var/ftp:/usr/bin/false

  • Make sure that all passwords in ~ftp/etc/passwd are asterisks (*):

    $more ~ftp/etc/passwd root:*:0:3::/:/usr/bin/false daemon:*:1:5::/:/usr/bin/false

  • If you must have a writable pub directory, use 1733 permissions:

    $chmod 1733 /home/ftp/pub

  • Use disk quotas or a cron job to control the size of /home/ftp/pub:

    0 1 * * * find /home/ftp/pub/* -atime +1 exec rm -rf {} \;

  • Check anonymous ftp activity in /var/adm/syslog/syslog.log:

    $tail /var/adm/syslog/syslog.log

Denying Access Using /etc/ftpd/ftpusers

The inetd daemon runs the file transfer protocol server, ftpd, when a service request is received at the port indicated in /etc/services. The ftpd server rejects remote logins to local user accounts which are listed in /etc/ftpd/ftpusers. These user accounts are known as restricted accounts. See ftpd(1M), privatepw(1), and services(4).

In the /etc/ftpd/ftpusers file, each restricted account name must appear by itself on a line. Also add user accounts with restricted login shells that are defined in /etc/passwd, because ftpd accesses local accounts without using their login shells.

If /etc/ftpd/ftpusers does not exist, ftpd does not perform a security check. For more information, see ftpusers(4).

On HP-UX 11i, the ftpd daemon is based on WU-FTPD. WU-FTPD is the HP implementation of the ftpd daemon developed at Washington University. WU-FTPD includes increased access control, enhanced logging capabilities, virtual hosts support, and RFC1413 (Identification Protocol) support. For more information, see the HP-UX Remote Access Services Administrator's Guide at:


Other Security Solutions for Spoofing

Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system. Because IP addresses and hostnames can be spoofed, using the /var/adm/inetd.sec security file for inetd (the internet daemon) is not a guaranteed security solution. See Section  for information about inetd.

The following security features or products are alternative security solutions:

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.