INSTALL.TXT Installation instructions for sftpd (with winetd) ------------------------------------------------------------ These instructions setup sftpd to intercept all normal ftp traffic and secure the connections made by secure (SafeTP) clients. Following all of these instructions will require administrator access on Windows NT/2000. Once sftpd is installed, you will be able to FTP securely to your server using the SafeTP client software. The SafeTP client software can be downloaded for free from: http://safetp.cs.berkeley.edu/ These instructions assume you have already downloaded BOTH winetd and sftpd from the above webpage. IMPORTANT: Winetd _requires_ SafeTP Server v1.42 or better - the latest version can be downloaded from the above URL. 1. Installing the Inetd Binaries 1.1 Choose an inetd program sftpd requires an inetd program that listens for incoming connections and launches sftpd when a client tries to connect. The recommended inetd program is winetd, which is available for free download from the SafeTP webpage (you probably already have it if you're reading this). Alternatively, you can also use the inetd program that is packaged with Hummingbird Exceed 6.x - for instructions on using Hummingbird Inetd instead, see HCLinetd.txt in the sftpd distribution. The rest of this document assumes you're using winetd. 1.2 Unzip the winetd files into a directory Create a directory on your harddrive for winetd and unzip or copy the inetd files into it. From here on, we assume this directory is called "C:\winetd". We recommend that write access to this directory is limited to just administrators (assuming the drive is an NTFS partition). Note that the drive should be an unmapped physical local drive. This is because the SYSTEM user (which the daemon run as) will not have drive mappings available to it. The important winetd binaries are: winetcfg.exe the winetd configuration GUI winetd.exe the actual inetd service executable (should never be run directly by users) winetlib.dll a library used by daemons like sftpd that interface with winetd (should be copied to the directory containing the daemon or placed in your system directory). 1.3 Setup winetd To setup winetd, run the WINETCFG.EXE program from the installation directory. Press the "browse" button and select the winetd.exe file. Press the "install" button and then the "start" button to start the service. You should set the start type to "automatic" so that the service gets loaded automatically on bootup. Winetd is now installed as a regular NT service, and you can also control its behavior from the usual "Services" applet in the NT control panel. However, you'll still need to use this configuration program to configure which network services to place on which TCP/IP ports. 2 Installing the sftpd Binaries 2.1 Unzip sftpd files into a directory Create a directory on your harddrive for sftpd and unzip or copy the sftpd files into it. From here on, we assume this directory is called "C:\sftpd". We recommend that write access to this directory is limited to just administrators (assuming the drive is an NTFS partition). Note that the drive should be an unmapped physical local drive. This is because the SYSTEM user (which the daemon runs as) will not have drive mappings available to it. The important sftpd binaries are: sftpd.exe the daemon proxy itself sftpc.exe a secure command-line client makekeys.exe for creating new keys viewkey.exe for viewing keys and checksums hcllib.dll a library used to interface with Hummingbird inetd winetlib.dll a library used to interface with Winetd libgmp.dll the GNU MP crypto library 2.2 Make a new server keypair. From c:\sftpd, while logged in as administrator, run this command: c:\sftpd> makekeys 0 1024 This will ask you for a server name to "brand" the public key, then to type a bunch of characters to add entropy to the system. (The dots have to get most of the way across the screen; it takes a minute or so.) In this process, you are creating a new DSA (Digital Signature Algorithm) public and private key. makekeys is also capable of generating ElGamal (client) keys, and by default will also now create them for the SYSTEM user (they are ignored if the SafeTP client software is not installed on your machine) The DSA keys are stored in protected area of the registry where only administrators and the daemon can see them. Note that if your windows directory is on a FAT partition, these keys may be visible to anyone. The public key should be made available to users, but the private key must be kept secret in order to assure system security. To make the public key available to users out-of-band, this is the recommended procedure: (from c:\sftpd) c:\sftpd> viewkey DSA/public.key > pubkey.txt This will place a copy of the public key in the file pubkey.txt, in a format suitable for distribution to users of the SafeTP client software. 3. Modify Inetd configuration 3.1 Enable ftpd and make it listen on a new port SafeTP server requires that _some_ insecure, "legacy" FTP server be installed on the same system to act as the "host" FTPd (Because the server, like the client, is just a proxy - it adds security to an existing FTP daemon, which handles most of the "real" file work). There are many such FTPd programs available, both freely and commercially on the web (examples include wuFTPD, WarFTPD, Microsoft IIS, WSFTPD, Hummingbird ftpd, etc.) In order to use SafeTP server to secure FTP, you need to place your legacy FTP server on a new, non-standard port (say port 351) so that SafeTP server can recieve the incoming client connections on the standard FTP port (port 21) and redirect them to your server. The configuration procedure for each FTPd program is different, however you basically want to search through the configuration screen for something called "port" (which is probably set to "21") and change that to the new port number 351. 3.2 Add sftpd to the inetd program and configure it for port 21 Next, you need to enable sftpd in the winetd service. To do this, start WINETCFG.EXE again. Use the "Add" button to add a new daemon entry for sftpd. In the configuration screen, set the program filename to "c:\sftpd\sftpd.exe". Set the port number to "21" (this is the default for FTP). Set the optional parameters to "-f351" (the "351" is the port you set for ftpd) You may also consider adding the options: "-9" to disallow unencrypted incoming connections - probably a good idea if you want really tight security, or the options: "-lc:\sftpd\log.txt -d1" if you want to log user activity. To see other options, you can run the command: (from c:\sftpd) C:\sftpd> sftpd.exe -h NOTE: If you're upgrading a previous installation of sftpd using Hummingbird Inetd, you should also be sure to disable sftpd in the Hummingbird Inetd setup so the two don't conflict for port 21. 4. Troubleshooting Consult this section if things go wrong. 4.1 "510 Assertion failed: LoadKey for DSA/public.key failed, ..." Context: This message may be returned by sftpd, in the FTP protocol stream, such that the client will see this message. Cause(1): The DSA keys have not been created. Solution: Run 'makekeys' (see section 2.2). 4.2 "510 connect: Connection refused (code 146)" Context: Client tries to connect to server, message is returned in protocol stream. Cause: The server is misconfigured; this message results from sftpd trying, and failing, to contact ftpd. sftpd obtains the port on which to contact ftpd from the "-f" switch. ftpd is started by your legacy ftpd program and should be set to start in response to contact on the port you specified in the "-f" switch. Solution: Fix the configuration of your legacy ftpd program (see section 3.1).