sftpc.html

伯克利做的SFTP安全文件传输协议

<html>
<head>
<title>sftpc - The Unix SafeTP Client</title>
</head>
<BODY BGCOLOR="#FFFFFF">

<h1>sftpc - The Unix SafeTP Client</h1>
<blockquote>
<b>sftpc</b> is the SafeTP client for Unix.  Note that a separate
<a href="http://safetp.cs.berkeley.edu">Windows client</a>
is available.
</blockquote>

<h2>SYNOPSIS</h2>
<blockquote>
<pre>
sftpc [ <a href="#Options">options</a> ] server [ port ]
</pre>
</blockquote>

<h2>DESCRIPTION</h2>
<blockquote>
<b>sftpc</b> works similarly to the ordinary Unix FTP client, except that it
can encrypt user's passwords (and, optionally, data) when conversing with a SafeTP
server, such as <a href="sftpd.html"><b>sftpd</b></a>.

<p>
The server to contact must be specified on the command line.  Optionally,
a port may be specified; if it is not, the default of 21 is used.

<p>
When <b>sftpc</b> is run for the first time on a given machine by a given
user, it will gather entropy and create ElGamal keys.  During entropy
gathering, you may be asked to type at the keyboard; please be patient with
this process, as it is essential for key security.

<p>
Upon connecting to the server, <b>sftpc</b> will authenticate the server,
then ask for your username and password.  Once these have been accepted
by the server, you can enter <a href="#Commands">interactive commands</a>.

</blockquote>


<!-- -------------------- options -------------------- -->
<a name=Options>
<h2>OPTIONS</h2>
</a>
<blockquote>

<!-- undocumented switches: -p, -s, -., -m, -n, -@ -->

<!-- this section duplicates information available from
     'sftpc -h'; I could have used an approach similar to that
     used for the interactive commands, but this is a much
     smaller and more stable set.. -->

<dl>

<dt><b>-v</b>
<dd>
Prints the version number for <b>sftpc</b>.

<p>
<dt><b>-z</b><i>pbsz</i>
<dd>
Specifies the size of the protection buffer.  Note that a value that is
either too large or too small may hurt performance; the default value has
been experimentally determined to be a good size for most situations.

<p>
<dt><b>-i</b>
<dd>
Starts <b>sftpc</b> in passive mode.  See <a href="#passive">passive</a>
command.

<p>
<dt><b>-d</b>
<dd>
Print extra debugging information.

<p>
<dt><b>-a</b>
<dd>
Print value of ADATs (Authentication DATa) exchanged during
authentication.  Mostly for debugging.

<p>
<dt><b>-9</b>
<dd>
Behave as a normal (RFC 959) FTP client.  This effectively disables
all encryption, including password encryption.  This option is
<b>not</b> recommended, unless the network connection is secured by
some alternate means.

<p>
<dt><b>-c</b>
<dd>
Start with data encryption off.  See <a href="#prot">prot</a> command.

<p>
<dt><b>-t</b>
<dd>
Start with data channel in integrity-only mode.  
See <a href="#prot">prot</a> command.

<p>
<dt><b>-h</b>
<dd>
Print the help message, which provides short descriptions of the
command-line options.

<p>
<dt><b>-X</b>
<dd>
Accept new server keys without prompting the user.

<p>
<dt><b>-Q</b>
<dd>
Automatically use the normal (insecure) FTP protocol if the
server doesn't understand the encrypted protocol.


</dl>
</blockquote>


<!-- ----------------- interactive commands ------------------ -->
<a name=Commands>
<h2>INTERACTIVE COMMANDS</h2>
</a>
<blockquote>
<p>
<dl>

<!-- sftpc_in.html -> sftpc.html: the next line will be replaced by
     the output of "sftpc -@" -->
<!-- this block of HTML is generated automatically by
     'sftpc -@', and pasted into sftpc.html by a script -->

<p><a name=help>
<dt><b>help</b> [&lt;command&gt;]
</a><dd>
Basic and per-command help information.
<blockquote>
  (no arg): general info<br>
  (command): per-command help<br>
  commands: list of all commands<br>
  aliases: list of all command aliases<br>
  crlf: info about CRLF stuff<br>
</blockquote>
In the 'help' list, commands listed with a plus (+) have more
info available as 'help <command>'.

<p><a name=help>
<dt><b>help</b> commands
</a><dd>
Show list of all commands.

<p><a name=help>
<dt><b>help</b> aliases
</a><dd>
Show list of all command aliases.

<p><a name=debug>
<dt><b>debug</b> [on|off|1|breaker|dump|binaryAnyway|localCRLF]
</a><dd>
Debugging support.
<blockquote>
  (no arg): toggle printing of outgoing FTP commands<br>
  on: print outgoing ftp commands<br>
  off: don't print outgoing ftp commands (default)<br>
  1: toggle diagnostic output level 1<br>
  breaker: breakpoint when debugger is attached<br>
  dump: print internal state variables<br>
  binaryAnyway: toggle binary transfer despite ascii/binary mode<br>
  localCRLF: toggle local CRLF convention<br>
  localGlobbing: toggle whether we glob locally or remotely<br>
</blockquote>

<p><a name=passive>
<dt><b>passive</b> [on|off]
</a><dd>
Set whether we use active or passive transfers.
<blockquote>
  (no arg): toggle active/passive mode<br>
  on: use passive transfers (default)<br>
  off: use active transfers<br>
</blockquote>
Normally, active transfers are used.  This means that, during a
data transfer, the server initiates a connection to the client.
However, under some circumstances (especially when firewalls are
involved), it may be necessary for the client to initiate the
data connection.  This is called a 'passive' transfer.

<p><a name=ascii>
<dt><b>ascii</b> 
</a><dd>
Use text-mode file transfers (see 'help crlf').

<p><a name=image>
<dt><b>image</b> 
</a><dd>
Use binary-mode file transfers (see 'help crlf').

<p><a name=help>
<dt><b>help</b> crlf
</a><dd>
Shows information about CRLF issues.

<p><a name=type>
<dt><b>type</b> (i|a)
</a><dd>
Set transfer mode.
<blockquote>
  i: binary mode (default)<br>
  a: ascii mode<br>
</blockquote>
See 'help crlf'.

<p><a name=lcd>
<dt><b>lcd</b> 
</a><dd>
Change current local working directory.

<p><a name=lpwd>
<dt><b>lpwd</b> 
</a><dd>
Print working directory on the local machine.

<p><a name=prompt>
<dt><b>prompt</b> [on|off]
</a><dd>
Change prompting mode.
<blockquote>
  (no arg): toggle prompts for mget/mput<br>
  on: turn on prompting<br>
  off: turn off prompting (default)<br>
</blockquote>

<p><a name=hash>
<dt><b>hash</b> [on|off]
</a><dd>
Set whether to print progress characters.
<blockquote>
  (no arg): toggle printing of # every 1k transferred<br>
  on: turn on hashes<br>
  off: turn off hashes (default)<br>
</blockquote>

<p><a name=quit>
<dt><b>quit</b> 
</a><dd>
Exit sftpc

<p><a name=!>
<dt><b>!</b> &lt;command&gt;
</a><dd>
Execute a command on the local machine.
Calls system(3) to execute a shell command

<p><a name=sync>
<dt><b>sync</b> 
</a><dd>
Empty FTP response queue.
This is useful only if the server or client gets confused, and
violates the FTP protocol.

<p><a name=test>
<dt><b>test</b> [active|passive|text|binary|multi]
</a><dd>
Run online self-tests.
<blockquote>
  (no arg): all tests, both active and passive<br>
  active: all tests, in active mode<br>
  passive: all tests, in passive mode<br>
  text: text transfers in current active/passive mode<br>
  binary: binary transfers in current active/passive mode<br>
  multi: multiple-file command tests<br>
</blockquote>

<p><a name=quote>
<dt><b>quote</b> &lt;raw-ftp-cmd&gt;
</a><dd>
Send an FTP command directly.
No interpretation is done on the command.

<p><a name=prot>
<dt><b>prot</b> [p|t|c]
</a><dd>
Set or get data channel protection level:
<blockquote>
  (no arg): print the current protection level<br>
  p (private): turn on privacy and integrity protection<br>
  t (integrity): turn on just integrity protection<br>
  c (clear): turn off protection<br>
</blockquote>
Note that this does *not* affect control-channel encryption,
which is always on (unless sftpc was started with the -9 switch).

<p><a name=pwd>
<dt><b>pwd</b> 
</a><dd>
Print remote current directory (PWD ftp command).

<p><a name=cd>
<dt><b>cd</b> [dir]
</a><dd>
Change remote directory (CWD ftp command).

<p><a name=cdup>
<dt><b>cdup</b> 
</a><dd>
Same as 'cd ..' (CDUP ftp command).

<p><a name=dir>
<dt><b>dir</b> [directory]
</a><dd>
Remote directory listing (LIST ftp command).

<p><a name=nlist>
<dt><b>nlist</b> [arg]
</a><dd>
Remote directory listing, with names only.
This issues the NLST ftp command.

<p><a name=get>
<dt><b>get</b> &lt;remotefile&gt; [localfile]
</a><dd>
Get remote file (GET ftp command).

<p><a name=put>
<dt><b>put</b> &lt;localfile&gt; [remotefile]
</a><dd>
Send local file to remote machine (PUT ftp command).

<p><a name=mget>
<dt><b>mget</b> &lt;pattern&gt;
</a><dd>
Multiple-file get; local globbing by default.

<p><a name=mput>
<dt><b>mput</b> &lt;pattern&gt;
</a><dd>
Multiple-file put; local globbing (of course).

<p><a name=mls>
<dt><b>mls</b> &lt;pattern&gt;
</a><dd>
Multiple-file list.
This command is primarily useful to see what mget will get.

<p><a name=mdelete>
<dt><b>mdelete</b> &lt;pattern&gt;
</a><dd>
Multiple-file delete.

<p><a name=mkdir>
<dt><b>mkdir</b> &lt;dir&gt;
</a><dd>
Create remote directory (MKD ftp command).

<p><a name=rmdir>
<dt><b>rmdir</b> &lt;dir&gt;
</a><dd>
Remove remote directory (RMD ftp command).

<p><a name=mv>
<dt><b>mv</b> &lt;oldName&gt; &lt;newName&gt;
</a><dd>
Rename remote file (RNFR and RNTO ftp commands).

<p><a name=rm>
<dt><b>rm</b> &lt;filename&gt;
</a><dd>
Delete remote file (DELE ftp command).

<!-- end of automatically-generated HTML -->
<!-- end of inserted docs -->

</dl>
</blockquote>


<!-- --------------- configuration --------------------- -->
<a name="configuration">
<h2>CONFIGURATION</h2>
</a>
<blockquote>

<h3>Basic Information</h3>

<b>sftpc</b> must store three kinds of configuration state:

<ul>
<li>Random seed: Necessary to generate cryptographically
    secure random numbers during authentication and key
    generation.
<li>ElGamal keys: Used to encrypt the conversation.
<li>Server keys: Used to authenticate servers after first
    contact.
</ul>

<p>
Of these, by far the most sensitive are the ElGamal keys.  In
particular, if an attacker learns the ElGamal private key, he/she
can decrypt both future <em>and</em> past sessions protected with
that key.

<p>
The random seed is primarily a concern just prior to key generation;
an attacker that knows the seed may be able to predict the generated
key.

<p>
The server keys are only a concern if an attacker modifies them; in
that case, an attacker could masquerade as a trusted server.


<h3><b>sftpc</b>'s Implementation</h3>

<p>
The above state, especially the ElGamal private key, <em>must</em>
be stored on the local disk (assuming typical insecure networks
such as NFS).  Therefore <b>sftpc</b> by default stores all of this
information in <tt>/tmp/<i>user</i></tt>, where <i>user</i> is the username
of the person using <b>sftpc</b>.

<p>
This can be inconvenient, especially on systems where <tt>/tmp</tt> is
not saved across reboot.  To support alternatives, <b>sftpc</b> will
store keys in a directory specified by the SAFETP_CONFIG environment
variable.


</blockquote>


<h2>SEE ALSO</h2>
<blockquote>
<a href="sftpd.html">sftpd</a>,
<a href="http://safetp.cs.berkeley.edu/">SafeTP</a>
</blockquote>
</body>
</html>