install.txt version 1.09 Installation instructions for sftpd ----------------------------------- These instructions setup sftpd to intercept all normal ftp traffic and secure the connections made by secure (SafeTP) clients. Following all of these instructions will require root access (though the daemon itself does not run as root). However, a limited form of sftpd (specifically, where it listens to a nonstandard, unpriviledged port) may be installed without root access. 1. Create 'safetp' user. Create a 'safetp' user, in whose name the sftpd daemon will run. On Linux, this is accomplished through the 'adduser' program; it might be called "useradd" elsewhere. safetp's home directory must be on the local disk. Sensitive information is stored there, and it is a serious security risk for this information to go over the network in the clear. Make sure read and write access to this directory is limited to just its owner. If your system has provisions for giving certain users even *less* authority than normal users, you may want to so limit 'safetp'. safetp only needs to be able to read and write files in his home directory (and the DSA subdirectory thereof), make outgoing TCP connections, and listen to unpriviledged TCP ports. The actual name of the created user can be anything. 2. Compile the binaries At UCB, in the CS dept., the binaries should already be available, in /usr/sww/pkg/safetp. Skip to step 3. Otherwise, see compile.txt. 3. Run the install script. As root, run: # sc/install.pl If all goes well, you're done. If not, there are some troubleshooting tips in trouble.txt. ------------------------------------------------------------------ ------ Manual install instructions ------------------------------- ------------------------------------------------------------------ These instructions should be unnecessary, as the 'install' script supercedes them. They may also be somewhat out of date. They are here to give a (more) readable account of what the install script does, and some additional info on troubleshooting, etc. Note on naming: The daemon for SafeTP is called 'sftpd'. "sftp" is, however, the name of some unrelated service, usually at port 115. I will use the term "sftpd" when referring to the SafeTP daemon program, "SafeTP" when referring to the system as a whole, and "safetp" to refer to the user we recommend you create and the name of the service sftpd will query to determine a port number to listen to. Outside this paragraph, I am never referring to the port-115 "sftp". (In this document, "quotes" refer to the string of characters, and 'ticks' refer to the entity named.) Permissions summary after installation is complete: NOTE: All files must be owned by 'safetp'. min for safetp operation safe, convenient ~safetp drwx------ drwxr-xr-x ~safetp/randomSeed -rw------- -rw------- ~safetp/DSA drwx------ drwx--x--x ~safetp/DSA/private.key -rw------- -rw------- ~safetp/DSA/public.key -rw------- -rw-r--r-- (wherever)/public.key.txt (not needed) -rw-r--r-- 1. Setup the binaries. 1.1 (OPTIONAL) Create a 'safetp' user, in whose name the sftpd daemon will run. On Linux, this is accomplished through the 'adduser' program (same on most Unix?). Make sure read and write access to this directory is limited to just its owner. If your system has provisions for giving certain users even *less* authority than normal users, you may want to so limit 'safetp'. safetp only needs to be able to read and write files in his home directory (and the DSA subdirectory thereof), make outgoing TCP connections, and listen to unpriviledged TCP ports. The actual name of the created user can be anything. It may be useful to add 'safetp' to the 'daemon' group, so its files can be marked with this group, rather than 'users'. This is done by modifying the /etc/group file (more complicated on yp systems, I don't know the details), adding "safetp" to the "daemon" line, and changing the default group of "safetp" in /etc/passwd. This is a security measure; it is not required for functionality. If you're at U.C. Berkeley, you can use the prebuilt binaries; go to step 1.2(b). Otherwise, go to step 1.2(a). 1.2(a) Copy the sftpd sources into ~safetp, and build them. See compile.txt. 1.2(b) Copy the sftpd binaries from sww to the local disk. The sftpd binaries are in /usr/sww/pkg/safetp. The important binaries are: sftpd the daemon proxy itself makekeys for creating new keys viewkey for viewing keys and checksums addent for manually adding entropy sftpc the unix client 1.3 Make a new server keypair. From ~safetp, while logged in as safetp user, do this: % makekeys 0 1024 This will ask you for a server name to "brand" the public key, then to type a bunch of characters to add entropy to the system. (The dots have to get most of the way across the screen; it takes a minute or so.) In this process, you are creating a new DSA (Digital Signature Algorithm) public and private key. makekeys is also capable of generating ElGamal keys, but the server does not need to have its own ElGamal keys (that is why the 1st param is "0"). The DSA keys are stored in the DSA subdirectory, as DSA/public.key and DSA/private.key. The public key should be made available; the private key must be kept secret. To make the public key available to users out-of-band, this is the recommended procedure: (from ~safetp) % viewkey DSA/public.key > DSA/public.key.txt % chmod a+r DSA/public.key.txt % chmod a+x DSA Then, some system-wide information service (motd, perhaps) can point users to ~safetp/DSA/public.key.txt . This process also writes the state of its pseudo-random number generator to a file called "randomSeed". The contents of this file must also be kept secret, and 'safetp' must always have permission to overwrite this file. 1.4 (OPTIONAL) Test sftpd. While logged in as an ordinary user (not safetp or root), create a set of client keys. % makekeys 1024 0 (more entropy typing required....) Run sftpd in a shell window, with priviledges to access randomSeed and DSA/{public,private}.key . # sftpd -p2123 -f21 Run sftpc in the shell window where you just created client keys. % sftpc -p2123 (Supply the -s argument if the host is nonlocal.) Enter your username and password at the next two prompts. Then, once you get the "sftpc>" prompt, type these things: 1. tests // should end with "(files are identical)" printed 2. quit If all goes well, no exceptions will be thrown. 2. Modify system configuration files. 2.1 Modify /etc/services so sftpd listens to 21 and ftpd is elsewhere. /etc/services maps port numbers to named services. Find a line in this file like this: ftp 21/tcp Modify it (adding "safetp" as an alias), and add another: ftp 21/tcp safetp raw-ftp 221/tcp Here, 221 is where I've put ftpd. It can be any value, but should not collide with preexisting port number conventions, and should be less than 1024, so ordinary user processes cannot masquerade as ftpd. There is a potential problem here if 'ftpd' is run as a stand-alone daemon instead of by inetd. Since ftpd, in this mode, queries getservbyname for "ftp", it will listen on the same port as sftpd. At this time, I don't know a good workaround (other then next paragraph). It is possible to run sftpd on a port other than 21, but in that case users would have to explicitly tell their clients which port to use, thereby reducing the likelihood of use. 2.2 Modify /etc/inetd.conf to run sftpd in response to a connect on port 21. 2.2.1 Add 'sftpd'. Add a line like this (it is split onto two lines for readability): safetp stream tcp nowait safetp /home/safetp/sftpd sftpd -s -y/home/safetp The "-s" is critical; it tells sftpd it's being run by inetd. Other options can be viewed by running "sftpd -h". Note that inetd.conf *includes* argv[0], which is why the first argument is "sftpd". The "-y" changes sftpd's current directory. This should be the directory of which DSA is a subdirectory, and where randomSeed lives. (On some systems, it is redundant; on others, it is required.) Note: For maximum security, you can disable the 959 dropdown by supplying the "-9" option to sftpd. Doing so disallows insecure connections. 2.2.2 Modify 'ftpd'. Change the existing ftpd line, so it is run in response to a connect on the 'raw-ftp' port instead of the 'ftp' port: raw-ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd (This is a line from my Linux inetd.conf, which by default uses tcpd for connection logging and control. sftpd is also compatible with tcpd, though in my examples I've not been using it.) 2.2.3 Prod inetd to re-read inetd.conf. You'll have to then cause inetd to re-read its configuration file. This is done by sending the "HUP" signal to it. On Linux, this is easy: # killall -HUP inetd 2.3 (OPTIONAL) Modify /etc/syslog.conf, if desired. sftpd generates syslog messages while running. All messages are of the 'daemon' facility. Routine logging is in the 'info' class, and if the "-d" switch is specified, additional detail is specified with the 'debug' class. Logging of file-level info, like per-transfer logs, is left to ftpd (since it will be involved in every file transfer, as usual).