Kerberos Compatibility

This page describes how to setup SafeTP and Kerberos so they can share the same port (e.g. port 21, the usual FTP server port).


Kerberos ( is a security system with some goals in common with SafeTP, and others not in common. The drawback to Kerberos is that Kerberos requires acquisition of "tickets", which is typically not convenient under operating systems other than unix. The advantage of Kerberos is its much wider scope -- SafeTP only secures FTP connections, whereas Kerberos has secure telnet, among other things. But once in use, SafeTP and Kerberos offer comparable security, and so it is reasonable to run them together.

The basic approach is for the SafeTP server (sftpd) to recognize that an incoming connection is intended for Kerberos' ftpd (hereafter: kftpd), and hand the connection to kftpd for processing.

Ideally, sftpd could simply relay data between the client and kftpd, similarly to how it operates with the default ftpd. However, Kerberos' FTP protocol includes port checks that preclude this. Therefore, the solution adopted is to exec(2) kftpd in place of sftpd, thereby inheriting sftpd's sockets (and ports).

This requires a patch to kftpd, to synchronize the client and server protocol streams. sftpd then needs to be told where to find this patched binary.

Patching kftpd

Note: The patch described was created as a diff from Kerberos version 5, sub-version 1.0.6, and is not (yet) known to work with other releases. If you find you need to use another version, let me (scott) know.

In your Kerberos v5 distribution, kftpd is in src/appl/gssftp/ftpd. Locate this directory, and verify ftpd.c is in it. You should already have built the distribution once (i.e., an ftpd binary should be in the directory). If not, do so now -- this will ensure the Makefiles etc. are in working order before we start mucking with things.

Apply this patch. Save it to a file (right-click, save link as...). Then feed it to patch(1) like this:

  shell-prompt$ patch < kerb-patch.txt
(do this in the ftpd directory).

If the patch worked, you ought to be able to rebuild (k)ftpd:

  shell-prompt$ make
With luck you now have a kftpd binary (called ftpd) that understands the -S switch.

Install SafeTP

Follow the usual instructions (install.txt) for installing SafeTP. Install it onto port 21 (or wherever you want it), supplanting whatever was listening to 21 (including kftpd).

Put kftpd someplace

Copy the newly-created kftpd binary to someplace where sftpd will be able to execute it. Since you'll be making kftpd setuid-root, the most prudent option is to create a special directory inside safetp's directory. E.g.:

  shell-prompt# cd /home/safetp
  shell-prompt# mkdir kerb
  shell-prompt# chown safetp.daemon kerb
  shell-prompt# chmod 700 kerb
  shell-prompt# cd kerb
  shell-prompt# cp /WHEREVER/krb5/src/appl/gssftp/ftpd/ftpd ./kftpd
  shell-prompt# chown root.root kftpd
  shell-prompt# chmod 4755 kftpd
  shell-prompt# ls -ld . kftpd
  drwx------   2 safetp   daemon       1024 Nov 11 04:25 ./
  -rwsr-xr-x   1 root     root       607910 Nov 11 04:25 kftpd*

This makes the modified (and setuid-root) kftpd available only to the safetp user. I'm not aware of any problems with a generally-available setuid-root kftpd, but why take chances?

Modify sftpd's config

Now we need to tell sftpd where to find kftpd. Find the line of /etc/inetd.conf which looks like this:

  safetp    	stream	tcp	nowait	safetp	/home/safetp/sftpd sftpd -f351 -s -y/home/safetp
and add the -K switch, specifying the location of the modified kftpd as its argument (this is all one line, if your browser wraps it):
  safetp    	stream	tcp	nowait	safetp	/home/safetp/sftpd sftpd -f351 -s -y/home/safetp -K/home/safetp/kerb/kftpd

Save the file, and send the HUP signal to inetd:

  shell-prompt# killall -HUP inetd
killall works under Linux; it might not on your system. See kill(1).

Test the install

Run Kerberos' ftp (get a ticket first!), and connect to SafeTP's port (usually 21):
  shell-prompt$ ftp myhost
  Connected to FTP server (Version wu-2.4.2-VR16(1) Sun May 9 20:10:03 CDT 1999) ready.
  220-*** This server can accept secure (encrypted) connections. ***
  220 *** See for info. ***
  334 Ah, you want Kerberos.  I'll go get him (it?)... (send security data)
  GSSAPI accepted as authentication type
  GSSAPI authentication succeeded
  Name (myhost:scott):
  232 GSSAPI user scott@MYHOST.MYREALM.ORG is authorized as scott
  230 User scott logged in.
  Remote system type is UNIX.
  Using binary mode to transfer files.

Also test with sftpc to verify the SafeTP side is still working.

If all goes well, you're done! Users should be able to connect to your server and see both SafeTP or Kerberos, depending on which client software they're using.


Here are some general ideas: Still doesn't work? Drop me a line:


kftpd has a bug: it looks for GSSAPI with case-sensitivity, whereas RFC 2228 specifically specifies case-insensitivity. This is a minor point, but I don't have another good place to make note of this..