The install script, sc/install.pl, should get everything in order automatically. However, you may want to verify that. These are the things to check:
sftpd's files: The SafeTP executables, and the keys used by sftpd during normal operation, should be placed somewhere that sftpd can find them. Something like /home/safetp is typical:
root@leetch:/home/safetp# ls -ld . * */* drwxr-xr-x 6 safetp daemon 1024 Nov 13 02:33 ./ drwx--x--x 2 safetp daemon 1024 Oct 14 15:21 DSA/ -rw------- 1 safetp daemon 444 Oct 14 15:21 DSA/private.key -rw-r--r-- 1 safetp daemon 510 Oct 14 15:21 DSA/public.key -rw-r--r-- 1 safetp daemon 981 Nov 13 02:33 DSA/public.key.txt drwx------ 2 safetp daemon 1024 Oct 14 15:21 ElGamal/ -rw------- 1 safetp daemon 1 Oct 14 15:21 ElGamal/KeyStrength -rw------- 1 safetp daemon 401 Oct 14 15:21 ElGamal/private.key -rw------- 1 safetp daemon 269 Oct 14 15:21 ElGamal/public.key -rw------- 1 safetp daemon 11 Oct 14 15:21 ElGamal/timestamp -rwxr-xr-x 1 safetp daemon 84436 Nov 13 02:33 addent* drwx------ 2 safetp daemon 1024 Nov 11 04:25 kerb/ -rwsr-xr-x 1 safetp daemon 607910 Nov 11 04:25 kerb/kftpd* drwx------ 3 safetp daemon 1024 Oct 14 15:21 keys/ drwx------ 2 safetp daemon 1024 Oct 14 15:21 keys/127.0.0.1/ -rwxr-xr-x 1 safetp daemon 202504 Nov 13 02:33 makekeys* -rw------- 1 safetp daemon 448 Jan 12 20:43 randomSeed -rwxr-xr-x 1 safetp daemon 359528 Nov 13 02:33 sftpc* -rwxr-xr-x 1 safetp daemon 288164 Nov 13 02:33 sftpd* -rwxr-xr-x 1 safetp daemon 124016 Nov 13 02:33 viewkey*This listing has some things you may not have. kerb/ is for Kerberos compatibility. keys/127.0.0.1 and ElGamal/ were created during installation as a test, and can be removed.
The permissions for most files should be as shown above. Note particularly DSA/private.key and randomSeed, which should not be readable by anyone but sftpd (which runs as the safetp user typically).
inetd config: inetd is configured by two files.
/etc/services provides the mapping from port numbers to service names. You should have lines like:
ftp 21/tcp safetp raw-ftp 351/tcpThe lines shown map port 21 to 'safetp' and port 351 to 'raw-ftp'. See services(5). Note that some sites are configured to use NIS instead of /etc/services; see ypserv(8).
/etc/inetd.conf provides the mapping from service names to the commands that run them. You should have lines like:
raw-ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a -t0 safetp stream tcp nowait safetp /home/safetp/sftpd sftpd -f351 -s -y/home/safetpThe lines shown run wu-ftpd on port 351, and sftpd on port 21. In my setup, wu-ftpd is run behind TCP wrappers (tcpd); sftpd can be also. See inetd(8), ftpd(8), tcpd(8), and sftpd(8).
Note: After you make changes to either /etc/services or /etc/inetd.conf, you must send the HUP (hangup) signal to inetd to cause it to re-read its configuration files. See kill(1).
If the install script has failed, you may want to consult install.txt (included in the distribution) for manual install instructions.
If things aren't working, the first step is to verify that each of the relevant ports is being "answered" by the right program. For example:
scott@leetch:~% telnet localhost 21 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220-leetch.pasture.cow FTP server ready. 220-*** This server can accept secure (encrypted) connections. *** 220 *** See http://safetp.cs.berkeley.edu for info. *** ^] telnet> close Connection closed.From this fragment we can see that sftpd is listening to port 21, and is successfully connecting to ftpd (because the 220 message includes the info about wu-ftpd).
Possible problems at this stage include:
This would mean that nobody is listening to port 21. inetd is probably not configured right. Check the system logs for diagnostics from inetd. Did you HUP it?
Connection closed (immediately after connect)
This is caused by inetd accepting the connection, but failing to execute sftpd. Possible causes include an incorrect path in inetd.conf or a problem finding needed shared libraries. Try running sftpd from the command-line (see below). Or, if you're running sftpd behind TCP wrappers, tcpd may have disallowed the connection; see the system logs and tcpd(8).
510 connect: Connection refused (code 111)
This means that sftpd started ok, but failed to connect to ftpd. Check the system logs, and/or try to connect to ftpd directly (see below).
510 Assertion failed: FTP server immediately closed connection; it's
probably disabled, file sftpd.cpp line 573
sftpd was able to connect to ftpd, but then ftpd immediately closed the connection. This could be because inetd failed to execute ftpd. Or, if you're running it behind TCP wrappers, because tcpd decided not to allow the connection. The system logs should have more detailed information.
We can also investigate ftpd itself:
scott@leetch:~% telnet localhost 351 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 leetch.pasture.cow FTP server ready. ^] telnet> close Connection closed.Again, possibilities include connection-refused or connection-closed. A problem at this stage is not related to sftpd. Check the documentation for ftpd and inetd, and tcpd if you're using it. Until you can manually telnet to ftpd and get a 220 response, sftpd won't be able to, either.
sftpc(1) is the unix command-line SafeTP client. Try using it to connect to sftpd:
scott@leetch:~% sftpc localhost sftpc version 1.40 Connected to localhost (127.0.0.1, port 21). 220-leetch.pasture.cow FTP server ready. 220-*** This server can accept secure (encrypted) connections. *** 220 *** See http://safetp.cs.berkeley.edu for info. *** Starting negotiation... Public key for 127.0.0.1: SafeTP at leetch.cs.berkeley.edu [10/14/1999] 235 Security data exchange complete. 211 DIGT=uh9Iqi/mtOZUSbnuMqBlRGVdA+s= Negotiation completed. 200 The PBSZ is ok. 200 Data channel protection set to 'private'. User name (Enter = scott)?If this works, log in, and issue the "test" command. This will test many features of sftpc and sftpd, including transfers under all combinations of data encryption on/off and passive/active mode. If it works locally, but you're having problems connecting from a remote site, build sftpc there and try it from the remote site.
Ideas for experimentation:
From the command line you can interactively try things much more easily than with inetd, and see diagnostic messages on the console. However, sftpd will only handle a single connection when run this way, so it's only useful for debugging.
Be sure to tell sftpd where to look for its keys, by supplying the -y switch. You can create keys using the 'makekeys' standalone program. See sftpd(8) for more info on command-line options.
Example command line:
scott@leetch:~/sftpd% ./sftpd -p3333 -f351 -y/tmp/scott
Ideas for experimentation:
The Windows client has its own documentation. However, one key fact is that the Windows client only secures connections to specific ports -- currently limited to ports 21, 353 and 2123. If you're troubleshooting problems with the client, be sure to run sftpd such that it listens to one of these ports.
If you can't get it working, email me! Send me:
ftpddaemon is now on port 351:
safetp@myhost% sftpd -d2 -p3333 -f351 -y/home/safetp >& sftpd.log & anybody@anyhost% sftpc -d -a myhost 3333 [then capture the screen output using cut & paste]