sftpd.html

伯克利做的SFTP安全文件传输协议

<html>
<head>
<title>sftpd - The SafeTP Daemon</title>
</head>

<h1>sftpd - The SafeTP Daemon</h1>
<blockquote>
<b>sftpd</b> runs in the background and services SafeTP clients.
</blockquote>

<h2>SYNOPSIS</h2>
<blockquote>
<pre>
sftpd [ <a href="#Options">options</a> ]
</pre>
</blockquote>

<h2>DESCRIPTION</h2>
<blockquote>
<b>sftpd</b> is a daemon process.  When SafeTP clients connect to a
SafeTP server, it is <b>sftpd</b> that responds.  <b>sftpd</b>, in
turn, connects to <b>ftpd</b> to do the real FTP work.

<p>
<img src="sftpd.arch.gif">

<p>
<b>sftpd</b> is normally run from <b>inetd</b>.  <b>Inetd</b> is
configured by
<a href="#etc_services"><tt>/etc/services</tt></a> and
<a href="#etc_inetd_conf"><tt>/etc/inetd.conf</tt></a>.

<p>
<b>sftpd</b> has an installation script.  In the source tree, it
is called <tt>sc/install.pl</tt>.  It is interactive, though its
response file can be re-used to automate multiple installs.

</blockquote>


<!-- -------------------- options -------------------- -->
<a name=Options>
<h2>OPTIONS</h2>
</a>
<blockquote>

<!-- undocumented switches: -t -->

<h3>General options</h3>
<dl>

<dt><b>-v</b>
<dd>
Prints the version number for <b>sftpd</b>.
<p>

<dt><b>-h</b>
<dd>
Prints a usage summary.  The usage summary produced by <b>-h</b> is always
the most up-to-date, relative to, say, this HTML file.
<p>

<dt><b>-y</b><i>directory</i>
<dd>
Specifies the working directory.  The encryption keys are found in this
directory.
<p>

</dl>
<h3>Control Channel</h3>
<dl>

<dt><b>-s</b>
<dd>
This flag <em>must</em> be specified when <b>sftpd</b> is run
by <b>inetd</b>.  It tells <b>sftpd</b> to use standard input as
the control connection, rather than creating a socket itself.
<p>

<dt><b>-p</b>[<i>ADDR</i>:]<i>N</i>
<dd>
Specifies the port to listen to.  This option is only useful when
<b>sftpd</b> is <em>not</em> run from <b>inetd</b>.  (I.e., the
<b>-s</b> switch is not specified.)
<p>

When the <i>ADDR</i> is provided, <b>sftpd</b> listens only to that interface,
rather than listening to all interfaces.  It must be an IP address of
a network interface on the machine where <b>sftpd</b> is running.  Additional
information and some examples are in <a href="interfaces.txt">interfaces.txt</a>.
<p>

<dt><b>-f</b>[<i>ADDR</i>:]<i>N</i>
<dd>
Specifies the port on which to contact <b>ftpd</b>.  This option
overrides the <b>raw-ftp</b> entry of <tt>/etc/services</tt>.
<p>

When the <i>ADDR</i> is provided, <b>sftpd</b> will contact <b>ftpd</b> on
at the specified address, instead of contacting the <b>ftpd</b> on the
same machine that <b>sftpd</b> is running on.
<p>

<em><b>PLEASE NOTE</b></em>: The traffic between <b>sftpd</b> and <b>ftpd</b>
is unencrypted.  Ordinarily that is not a problem since it never hits the
network.  But if you supply a nonlocal address with <b>-f</b>, the traffic
will go over some network.  That network should be secured by some other means,
such as a physically secure internal LAN or an encrypted VPN.
<p>

</dl>
<h3>Data Channel</h3>
<dl>

<dt><b>-c</b>
<dd>
Require data encryption to be used for all file transfers.  This option
implies <b>-3</b> (force data relay) and <b>-9</b> (disallow unencrypted
connections).
<p>

<dt><b>-r</b><i>low</i>-<i>high</i>
<dd>
Restrict the range of ports used for passive-mode transfers to
between <i>low</i> and <i>high</i> (inclusive).  E.g.,
<tt>-r40000-40999</tt>.
<p>

This is useful for servers behind firewalls, where the firewall can be
told to pass those ports on to the machine running sftpd.  (See also
the <b>-i</b> flag.)
<p>

<dt><b>-R</b><i>low</i>-<i>high</i>
<dd>
Restrict the range of ports used for active-mode transfers.
For traditional FTP behavior of binding port 20 for active
transfers, specify <b>-R20,20</b>.
<p>

</dl>
<h3>Logging</h3>
<dl>

<dt><b>-l</b><i>filename</i>
<dd>
(lowercase L)<br>
Log to file <i>filename</i> instead of stdout or syslog.
<p>

<dt><b>-o</b>
<dd>
Normally, when the <b>-s</b> switch is used, logging output is sent to
the <b>syslog</b> facility, which is configured by
<tt>/etc/syslog.conf</tt>.  This switch tells <b>sftpd</b> to use
stdout, instead (unless the <b>-l</b> switch is also present,
which overrides <b>-o</b> and sends output to a file).
<p>

<dt><b>-d</b><i>N</i>
<dd>
Specify the level of debugging output produced.  <i>N</i> can be
1 (least) or 3 (most).  <p>

<em>Note</em>: Due to a bug in 1.46, this output goes to stderr
regardless of the presence of <b>-l</b>, so it won't work if sftpd is
run from inetd (because stderr goes to the network connection).  Run
sftpd from a shell prompt if you're debugging with <b>-d</b> (this
applies to <b>-a</b> as well).
<p>

<dt><b>-a</b>
<dd>
When this flag is set, the ADATs (Authentication DATa) exchanged during
authentication will be logged as well.
<p>

<dt><b>-m</b><i>mask</i>
<dd>
Sets which events to log, as a sum of these codes:
  <blockquote>
  <dl>
  <dt>1 (0x01) - Errors - exceptions, usage errors, etc.
  <dt>2 (0x02) - Warnings - things that suggest there is a problem.
  <dt>4 (0x04) - Control channel connections and disconnections
  <dt>8 (0x08) - Handoffs and dropdowns for compatibility
  <dt>16 (0x10) - Debugging output - if <b>-d</b> is specified then this flag
                  must also be set to see the output.
  <dt>32 (0x20) - USER - log usernames.
  <dt>128 (0x80) - Timestamp - when set, this flag causes each log output to
                   include the date, time, and process id.
  </dl>
  </blockquote>
<p>

You can specify the <i>mask</i> as decimal or, with a leading "0x",
hexadecimal.  For example, to log just errors with timestamps, say
<tt>-m0x81</tt>.  The default is 0xbf (everything logged).  The logging
behavior of version 1.40 is 0x1f.
<p>

</dl>
<h3>Compatibility</h3>
<dl>

<dt><b>-9</b>
<dd>
This switch disallows unencrypted (RFC 959) FTP connections.  By default,
<b>sftpd</b> will permit unencrypted connections for backward compatibility.
When this compatibility is no longer desired, the <b>-9</b> switch should
be added.  (See also <a href="tcpd.html">Using TCP wrappers</a>.)
<p>

<dt><b>-8</b>
<dd>
This is like <b>-9</b>, but it allows unencrypted FTP connections for
anonymous FTP only.
<p>

<dt><b>-3</b> <dd> Some FTP daemons are compiled to disallow PORT
commands (and/or PASV connections) that name some machine other than
the client's machine; these are so-called third-party transfers.  As a
performance optimization, when data-channel encryption is turned off,
<b>sftpd</b> uses third-party transfers.  <p>

If <b>ftpd</b> is configured to disallow third-party transfers, users
will see a message such as "500 You've GOT to be joking" or "425
Possible PASV port theft, cannot open data connection." when they
attempt to transfer files.  The <b>-3</b> switch disables the
optimization, thereby pacifying <b>ftpd</b>.  <p>

You can use a sequence like this to determine if your ftpd is so configured:
  <pre>
  % ftp localhost
  220 richter FTP server ready.
  Name (localhost:scott):
  331 Password required for scott.
  Password:
  230 User scott logged in.
  ftp&gt; quote port 4,4,4,4,4,4
  200 PORT command successful.           &lt;-- no need for -3
        or
  500 You've GOT to be joking.           &lt;-- must specify -3
  </pre>
<p>

Starting with version 1.10, <b>sftpd</b> will automatically detect this
condition for active (PORT) transfers, and will work around it.  However,
it does not detect this problem for passive (PASV) transfers, so -3 may
need to be specified in some circumstances.
<p>

<dt><b>-i</b><i>address</i>
<dd>                                                                       

Instructs <b>sftpd</b> to supply an alternate IP address to the
client, in the SafeTP protocol stream.  Normally, <b>sftpd</b> sends
the IP address of the interface on which it was contacted, and the
client verifies this is the same IP it intended to contact.
<p>

However, if the server is behind a Network Address Translation (NAT)
firewall, the client will see a different IP than the server believes
itself to be, and report this as a possible security violation.  To
work around this, use the <b>-i</b> switch to specify the IP address
the client expects to see.
<p>

This flag also affects the address specified in the reply to the PASV
command.  This means it can be used with <b>-r</b> to allow clients to
talk to a server behind a firewall (appropriately configured).
<p>

<dt><b>-K</b><i>filename</i>
<dd>
Enables <a href="kerberos.html">Kerberos compatibility</a>.
Specify the filename (including path) to the Kerberos ftpd binary.
<p>

<dt><b>-e</b><i>filename</i>
<dd>

(Experimental)  Specifies that when dropping down to 959 mode, and the user is
anonymous, <b>sftpd</b> should exec(2) <b>ftpd</b> instead of
spawning another process and forwarding data to it.  <i>filename</i>
is the executable to exec(2).
<p>

This can be useful because <b>ftpd</b> can then directly see the IP
address of the user, and possibly apply admission and flow control
based on user and IP address.
<p>

<!-- undocumented intentionally because end users don't care --
<dt><b>-x</b>
<dd>
This switch allows the X-CLEARTEXT and X-CLEARTEXT2 protocols to be used.
These protocols are <em>insecure</em>, and should not normally be allowed.
<p>
  -- end of undocumented flags -->

</dl>
</blockquote>

<!-- -------------------- config files -------------------- -->
<a name=ConfigFiles>
<h2>CONFIGURATION FILES</h2>
</a>
<blockquote>
<p>

<a name=etc_services>
<h3>/etc/services</h3>
</a>
<p>
<tt>/etc/services</tt> maps service names into port numbers, and
typically needs entries for <b>safetp</b> and <b>raw-ftp</b>.  The
<b>safetp</b> port is where <b>sftpd</b> will listen for incoming
connections, and the <b>raw-ftp</b> port is where <b>sftpd</b> will
contact <b>ftpd</b>, the normal (unencrypted) Unix ftp daemon.

  <pre>
  # example entries in /etc/services
  ftp             21/tcp          safetp
  raw-ftp         351/tcp
  </pre>

<p>
Typically, <b>sftpd</b> should be installed on port 21 (the usual
FTP port), and <b>ftpd</b> should listen to another port in the
protected range (&lt;1024), such as 351.

<p>
If it is undesirable to have <b>sftpd</b> listen to 21, port 353
is the suggested alternative.


<a name=etc_inetd_conf>
<h3>/etc/inetd.conf</h3>
</a>
<p>
<tt>/etc/inetd.conf</tt> maps service names to daemon executables.
<b>inetd</b> reads this file when it starts-up, and whenever it
receives the HUP signal.

  <pre>
  # example /etc/inetd.conf excerpt
  # svc   type    prot    wait?   user    executable         command-line w/argv[0]
  safetp  stream  tcp     nowait  safetp  /home/safetp/sftpd sftpd -f351 -s -y/home/safetp
  raw-ftp stream  tcp     nowait  root    /usr/sbin/tcpd     wu.ftpd -t0
  </pre>

</blockquote>


<!-- ------------------ security notes --------------------- -->
<a name=securityNotes>
<h2>SECURITY NOTES</h2>
</a>
<blockquote>

<h3>Who runs as root</h3>

<p>
<b>sftpd</b> does <em>not</em> have to run as root.  For enhanced
protection against possible bugs in <b>sftpd</b>, it is preferable to
run as an ordinary user, with privileges only to read and write the
directory containing the cryptographic keys.

<p>
<b>ftpd</b>, because it must potentially access any user's home directory,
must run as root.

<p>
<b>inetd</b>, because it must listen to protected (&lt;1024) ports, and
spawn servers running as arbitrary users, must run as root.

<p>
<b>kftpd</b> (Kerberos' ftpd), if you're using <a href="kerberos.html">
Kerberos compatibility</a>, must run as root for the same reason that
ftpd does, plus it must access sensitive Kerberos keys.


<h3>Encryption</h3>

<p>
Encryption is used to provide two security services: authentication and
confidentiality.

<p>
Server authentication is provided via DSA (Digital Signature Algorithm)
public-key signatures.  The server has a public and a private DSA key.
Clients usually receive the server's public key during the first contact,
trusting that the first contact is authentic, and record this public key
in a local database.  Subsequent connections are authenticated when the
server proves it knows the corresponding private key.

<p>
Confidentiality is bootstrapped via ElGamal public-key encryption.  Clients
generate ElGamal keys locally, and transmit their public keys when they
connect to a server.  The server encrypts the master session key with the
client's public key; the client is then the only party that can decrypt it.

<p>
Message-level authentication is provided by an HMAC (Hashed Message
Authentication Code) using SHA (Secure Hash Algorithm) as the hash
function, for which the keys are derived from the master session
key.

<p>
Message-level confidentiality (including confidentiality of the user's
password) is provided by Triple-DES (Data Encryption Standard), for which
the keys are derived from the master session key.


<h3>Key Management</h3>

<p>
The DSA private key, and the random seed file, are stored on disk
in plaintext (unencrypted).

<p>
Compromise (unauthorized read or write) of either file can lead to a
compromise of user's passwords.  It is therefore essential that file
permissions be set properly, and that these files not be transmitted
via an insecure network protocol such as NFS (Network File System).

<p>
Various additional key protection measures have been considered, such as
encrypting with a fixed (compile-time) Triple-DES key, passwords entered
at boot time, etc.  However, these measures are either insufficient or
too inconvenient for users, and therefore have not been employed.


</blockquote>


<h2>SEE ALSO</h2>
<blockquote>
<a href="sftpc.html">sftpc</a>,
<a href="http://safetp.cs.berkeley.edu">SafeTP</a>
</blockquote>
</body>
</html>