Using PAM (Pluggable Authentication Module) to control File Transfer Protocole

The below procedure will illustrate how to control FTP access using PAM configuration 01. Login to your AIX system as root.

02. Create users “mash1” and “mash2” and assign passwords: # mkuser mash1 # mkuser mash2

# passwd mash1 # passwd mash2

03. In another window, login into your AIX system as “mash1” and change your initial Password as directed, and also do the same for “mash2” user. - The below example shows the process: login: mash1 mash1's Password: <Enter initial password> [compat]: You are required to change your password. Please choose a new one. mash1's New password: <Enter new password> Re-enter mash1's new password: <Enter new password>

04. Return to your root session. Use the lssec command to determine the Current setting for the auth_type parameter: # lssec -f /etc/security/login.cfg -s usw -a auth_type usw auth_type=STD_AUTH

05. Use the chsec command to enable PAM authentication for all users: # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH

06. Use the lssec command again to verify the auth_type has been changed from STD_AUTH to PAM_AUTH: # lssec -f /etc/security/login.cfg -s usw -a auth_type usw auth_type=PAM_AUTH

07. Backup the default PAM configuration file /etc/pam.conf to /etc/pam.conf.old: # cp /etc/pam.conf /etc/pam.conf.old

08. vi the PAM configuration file /etc/pam.conf, and add the below two Lines under the Authentication paragraph: ftp auth required /usr/lib/security/pam_permission file=/etc/ftpusers ftp auth required /usr/lib/security/pam_aix

09. Create the file /etc/ftpusers - which allows or prohibits authentication based on The file content, It should contain a list of user and/or group entries in An appropriate format. So, now add the below contents in /etc/ftpusers file: -mash1 +mash2 +ALL

10. Testing ftp sessions using “mash1” and “mash2” users: $ ftp aix.test.egypt Connected to ftp aix.test.egypt 220 ftp aix.test.egypt FTP server (Version 4.2 Mon Mar 14 13:05:32 CDT 2016) ready. Name (ftp aix.test.egypt): mash1 331 Password required for mash1. Password:* 530 Login incorrect. ⇐== Login failed. ⇐== Remote system type is UNIX. Using binary mode to transfer files.

$ ftp aix.test.egypt Connected to ftp aix.test.egypt. 220 ftp aix.test.egypt FTP server (Version 4.2 Mon Mar 14 13:05:32 CDT 2016) ready. Name (ftp aix.test.egypt): mash2 331 Password required for mash2. Password:* 230-Last login: Thu Dec 15 05:06:05 2016 on /dev/pts/1 from 10.10.10.10 230 User mash2 logged in. Remote system type is UNIX. Using binary mode to transfer files.

11. If you want to restore back your old PAM configurations and standard AIX Authentications, do the below: # cp /etc/pam.conf.old /etc/pam.conf # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH # lssec -f /etc/security/login.cfg -s usw -a auth_type usw auth_type=STD_AUTH