install.txt

伯克利做的SFTP安全文件传输协议

install.txt version 1.09
Installation instructions for sftpd
-----------------------------------

These instructions setup sftpd to intercept all normal ftp traffic
and secure the connections made by secure (SafeTP) clients.

Following all of these instructions will require root access (though
the daemon itself does not run as root).  However, a limited form of
sftpd (specifically, where it listens to a nonstandard, unpriviledged
port) may be installed without root access.


1.  Create 'safetp' user.

Create a 'safetp' user, in whose name the sftpd daemon will run.  On
Linux, this is accomplished through the 'adduser' program; it might be
called "useradd" elsewhere.

safetp's home directory must be on the local disk.  Sensitive
information is stored there, and it is a serious security risk for
this information to go over the network in the clear.  Make sure read
and write access to this directory is limited to just its owner.

If your system has provisions for giving certain users even *less*
authority than normal users, you may want to so limit 'safetp'.
safetp only needs to be able to read and write files in his home
directory (and the DSA subdirectory thereof), make outgoing TCP
connections, and listen to unpriviledged TCP ports.

The actual name of the created user can be anything.


2.  Compile the binaries

At UCB, in the CS dept., the binaries should already be available,
in /usr/sww/pkg/safetp.  Skip to step 3.

Otherwise, see compile.txt.


3.  Run the install script.

As root, run: 
  
  # sc/install.pl

If all goes well, you're done.  If not, there are some
troubleshooting tips in trouble.txt.



------------------------------------------------------------------
------ Manual install instructions -------------------------------
------------------------------------------------------------------

These instructions should be unnecessary, as the 'install' script
supercedes them.  They may also be somewhat out of date.  They are
here to give a (more) readable account of what the install script
does, and some additional info on troubleshooting, etc.

Note on naming:  The daemon for SafeTP is called 'sftpd'.  "sftp" is,
however, the name of some unrelated service, usually at port 115.
I will use the term "sftpd" when referring to the SafeTP daemon 
program, "SafeTP" when referring to the system as a whole, and "safetp"
to refer to the user we recommend you create and the name of the
service sftpd will query to determine a port number to listen to.
Outside this paragraph, I am never referring to the port-115 "sftp".

(In this document, "quotes" refer to the string of characters, and
'ticks' refer to the entity named.)


Permissions summary after installation is complete:

NOTE:  All files must be owned by 'safetp'.

                         min for safetp operation   safe, convenient
  ~safetp                     drwx------              drwxr-xr-x
  ~safetp/randomSeed          -rw-------              -rw-------
  ~safetp/DSA                 drwx------              drwx--x--x
  ~safetp/DSA/private.key     -rw-------              -rw-------
  ~safetp/DSA/public.key      -rw-------              -rw-r--r--
  (wherever)/public.key.txt   (not needed)            -rw-r--r--


1.  Setup the binaries.

1.1  (OPTIONAL) Create a 'safetp' user, in whose name the sftpd daemon
will run.

On Linux, this is accomplished through the 'adduser' program (same on
most Unix?).

Make sure read and write access to this directory is limited to just
its owner.  If your system has provisions for giving certain users
even *less* authority than normal users, you may want to so limit
'safetp'.  safetp only needs to be able to read and write files in his
home directory (and the DSA subdirectory thereof), make outgoing TCP
connections, and listen to unpriviledged TCP ports.

The actual name of the created user can be anything.

It may be useful to add 'safetp' to the 'daemon' group, so its files
can be marked with this group, rather than 'users'.  This is done
by modifying the /etc/group file (more complicated on yp systems,
I don't know the details), adding "safetp" to the "daemon" line, and
changing the default group of "safetp" in /etc/passwd.

This is a security measure; it is not required for functionality.


If you're at U.C. Berkeley, you can use the prebuilt binaries; go to
step 1.2(b).  Otherwise, go to step 1.2(a).


1.2(a)  Copy the sftpd sources into ~safetp, and build them.

See compile.txt.


1.2(b)  Copy the sftpd binaries from sww to the local disk.

The sftpd binaries are in /usr/sww/pkg/safetp.  The important binaries
are:
  sftpd           the daemon proxy itself
  makekeys        for creating new keys
  viewkey         for viewing keys and checksums
  addent          for manually adding entropy
  sftpc           the unix client


1.3  Make a new server keypair.

From safetp's home directory, while logged in as user 'safetp', do this:

  % makekeys 0 1024

This will ask you for a server name to "brand" the public key, then
to type a bunch of characters to add entropy to the system.  (The
dots have to get most of the way across the screen.)

In this process, you are creating a new DSA (Digital Signature
Algorithm) public and private key.  makekeys is also capable of
generating ElGamal keys, but the server does not need to have its
own ElGamal keys (that is why the first argument is "0").

The DSA keys are stored in the DSA subdirectory, as DSA/public.key
and DSA/private.key.  The public key should be made available;
the private key must be kept secret.

To make the public key available to users out-of-band, this is the
recommended procedure:

  (from ~safetp)
  % viewkey DSA/public.key > DSA/public.key.txt
  % chmod a+r DSA/public.key.txt
  % chmod a+x DSA

Then, some system-wide information service (motd, perhaps) can point
users to ~safetp/DSA/public.key.txt .

This process also writes the state of its pseudo-random number
generator to a file called "randomSeed".  The contents of this
file must also be kept secret, and 'safetp' must always have
permission to read and write this file.


1.4  (OPTIONAL) Test sftpd.

While logged in as an ordinary user (not safetp or root), create a set
of client keys.

  % makekeys 1024 0
  (more entropy typing required....)

Run sftpd in a shell window, with priviledges to access randomSeed and
DSA/{public,private}.key .

  # sftpd -p2123 -f21

Run sftpc in the shell window where you just created client keys.

  % sftpc -p2123
  (Supply the -s<hostname> argument if the host is nonlocal.)

Enter your username and password at the next two prompts.

Then, once you get the "sftpc>" prompt, type these things:
  1.  tests           // should end with "(files are identical)" printed
  2.  quit

If all goes well, no exceptions will be thrown.


2.  Modify system configuration files.

2.1  Modify /etc/services so sftpd listens to 21 and ftpd is elsewhere.

/etc/services maps port numbers to named services.  Find a line in
this file like this:

ftp		21/tcp

Modify it (adding "safetp" as an alias), and add another:

ftp		21/tcp		safetp
raw-ftp		221/tcp

Here, 221 is where I've put ftpd.  It can be any value, but should not
collide with preexisting port number conventions, and should be less
than 1024, so ordinary user processes cannot masquerade as ftpd.

There is a potential problem here if 'ftpd' is run as a stand-alone daemon
instead of by inetd.  Since ftpd, in this mode, queries getservbyname
for "ftp", it will listen on the same port as sftpd.  At this time, I
don't know a good workaround (other than next paragraph).

It is possible to run sftpd on a port other than 21, but in that case
users would have to explicitly tell their clients which port to use,
thereby reducing the likelihood of use.


2.2  Modify /etc/inetd.conf to run sftpd in response to a connect on
port 21.

2.2.1  Add 'sftpd'.

Add a line like this (it is split onto two lines for readability):

safetp	stream	tcp	nowait	safetp	/home/safetp/sftpd sftpd -s
 -y/home/safetp

The "-s" is critical; it tells sftpd it's being run by inetd.  Info on
other options can be viewed by running "sftpd -h".  Note that
inetd.conf *includes* argv[0], which is why the first argument is
"sftpd".

The "-y" changes sftpd's current directory.  This should be the
directory of which DSA is a subdirectory, and where randomSeed lives.
(On some systems, it is redundant; on others, it is required.)

Note:  For maximum security, you can disable the 959 dropdown by
supplying the "-9" option to sftpd.  Doing so disallows insecure
connections.


2.2.2  Modify 'ftpd'.

Change the existing ftpd line, so it is run in response to a connect
on the 'raw-ftp' port instead of the 'ftp' port:

raw-ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	wu.ftpd

(This is a line from my Linux inetd.conf, which by default uses
tcpd for connection logging and control.  sftpd is also compatible
with tcpd, though in my examples I've not been using it.)


2.2.3  HUP inetd to re-read inetd.conf.

You'll have to then cause inetd to re-read its configuration file.
This is done by sending the "HUP" signal to it.  On Linux, this
is easy:

  # killall -HUP inetd

On other systems be careful, sometimes 'killall' does what it sounds
like it does.


2.3  (OPTIONAL) Modify /etc/syslog.conf, if desired.

sftpd generates syslog messages while running.  All messages are
of the 'daemon' facility.  Routine logging is in the 'info' class,
and if the "-d" switch is specified, additional detail is specified
with the 'debug' class.

Logging of file-level info, like per-transfer logs, is left to
ftpd (since it will be involved in every file transfer, as usual).