hclinetd.txt

伯克利做的SFTP安全文件传输协议

HCLInetd.TXT
Installation instructions for sftpd (with Hummingbird inetd)
------------------------------------------------------------

These instructions setup sftpd to intercept all normal ftp traffic and
secure the connections made by secure (SafeTP) clients. These instructions
are for people who wish to use the inetd driver program that ships with 
Hummingbird Exceed. (A free alternative driver program called winetd is 
now available - see INSTALL.TXT for details).

Following all of these instructions will require administrator access
on Windows NT/2000.

Once sftpd is installed, you will be able to FTP securely to your
server using the SafeTP client software.

The SafeTP client software can be downloaded for free from:

http://safetp.cs.berkeley.edu/


1.  Installing the Binaries


1.1 Setup Hummingbird Exceed

This configuration of sftpd requires that Hummingbird Exceed 6.x
be installed on the target system. When installing Exceed, be sure to
enable the "inetd" installation option, as you will need this
module active in order to run sftpd. You may also wish to install the
"ftpd" option if you don't already have an insecure ftpd daemon. 

SafeTP server requires that _some_ insecure, "legacy" FTP
server be installed on the same system to act as the "host" FTPd
(Because the server, like the client, is just a proxy - it adds
security to an existing FTP daemon, which handles most of the 
"real" file work). There are many such FTPd programs available,
both freely and commercially on the web (examples include wuFTPD,
WarFTPD, Microsoft IIS, WSFTPD, Hummingbird ftpd, etc.)

These instructions assume you're using Hummingbird's ftpd as your insecure
server, however we've found it to be somewhat buggy. We recommend that 
installations with serious FTP needs seek out a more stable alternative 
to act as the underlying insecure server beneath sftpd.


1.2 Unzip sftpd files into a directory

Create a directory on your harddrive for sftpd and unzip the files
into it. From here on, we assume this directory is called "C:\sftpd".
We recommend that write access to this directory is limited to just
administrators (assuming the drive is an NTFS partition).

Note that the drive should be an unmapped physical local drive.  This
is because the SYSTEM user (which the daemon runs as) will not have
drive mappings available to it.

The important sftpd binaries are:

  sftpd.exe           the daemon proxy itself
  sftpc.exe           a secure command-line client
  makekeys.exe        for creating new keys
  viewkey.exe         for viewing keys and checksums
  hcllib.dll          a library used to interface with Hummingbird inetd
  winetlib.dll        a library used to interface with Winetd
  libgmp.dll          the GNU MP crypto library


1.3  Make a new server keypair.

From c:\sftpd, while logged in as administrator, run this command:

  c:\sftpd> makekeys 0 1024
	
This will ask you for a server name to "brand" the public key, then to
type a bunch of characters to add entropy to the system.  (The dots
have to get most of the way across the screen; it takes a minute or
so.)

In this process, you are creating a new DSA (Digital Signature
Algorithm) public and private key.  makekeys is also capable of
generating ElGamal (client) keys, and by default will also now create
them for the SYSTEM user (they are ignored if the SafeTP client
software is not installed on your machine)

The DSA keys are stored in protected area of the registry where only
administrators and the daemon can see them. Note that if your windows
directory is on a FAT partition, these keys may be visible to anyone.
The public key should be made available to users, but the private key 
must be kept secret in order to assure system security.

To make the public key available to users out-of-band, this is the
recommended procedure:

  (from c:\sftpd)
  c:\sftpd> viewkey DSA/public.key > pubkey.txt
	
This will place a copy of the public key in the file pubkey.txt, in a
format suitable for distribution to users of the SafeTP client
software.



2.  Modify Exceed configuration


2.1  Enable ftpd and make it listen on a new port

Because sftpd is only a proxy, it uses the services of the Exceed FTP
daemon (ftpdw.exe) to perform all file transactions.

The network services provided by Exceed are controlled by HCL Inetd.
To view your HCL Inetd configuration, open the windows control panel
and double-click on "HCL Inetd".

There, select Ftpd from the list and use the configure button to see
the configuration screen for ftpd. There, change the Ftpd daemon to
use a _new_ port (say port 351), and set the maximum server count to
something reasonable (this is the number of simultaneous server
sessions permitted). Return to the main list and make sure it's
enabled.  NOTE: Whenever you make configuration changes to a service,
you must disable and re-enable that service in order for the changes
to take effect, and you must use the "Save" button to save your
changes when you finish work.

If your control panel doesn't contain an icon for HCL InetD or the
configuration list doesn't contain an entry for ftpd, then you
probably forgot to install those components when you installed
Exceed. See part 1.


2.2  Add sftpd and configure it for port 21

Next, use the "Add" button to add a new daemon entry for sftpd.  In
the configuration screen, set the program filename to
"c:\sftpd\sftpd.exe".  Set the TCP port to "21" (this is the default
for FTP).  Set the optional parameters to "-f351" (the "351" is the
port you set for ftpd) You may also consider adding the options: "-9"
to disallow unencrypted incoming connections - probably a good idea if
you want really tight security, or the options: "-lc:\sftpd\log.txt
-d1" if you want to log user activity.  To see other options, you can
run the command:

(from c:\sftpd)

C:\sftpd> sftpd.exe -h

You should also set the max servers count to control the number of
simultaneous users.


2.3 (Optional) Setup access control for ftpd

If you wish to control which users have access to your FTP server,
create a new Windows NT user group (using the user manager) called
"FTPAccess" and add permitted users to this group. If the group
doesn't exist, then by default ftpd will allow all users to have
access to the FTP server.

FTP users will be restricted using the normal Windows NT filesystem
access rules based on their login (NTFS partitions only). However, you
can also establish some additional drive-level restrictions for FTP
users.  See the Exceed online help files under "ftpd" for details.



3. Troubleshooting

Consult this section if things go wrong.


3.3  "510 Assertion failed: LoadKey for DSA/public.key failed, ..."

Context: This message may be returned by sftpd, in the FTP protocol
stream, such that the client will see this message.

Cause(1): The DSA keys have not been created.
Solution: Run 'makekeys' (see section 1.3).


3.5  "510 connect: Connection refused (code 146)"

Context: Client tries to connect to server, message is returned in
protocol stream.

Cause: The server is misconfigured; this message results from sftpd
trying, and failing, to contact ftpd.  sftpd obtains the port on which
to contact ftpd from the "-f" switch.  ftpd is started by inetd, and
should be set to start in response to contact on the port you
specified in the "-f" switch.

Solution: Fix the HCL Inetd configuraion (see section 2).