trouble.html

伯克利做的SFTP安全文件传输协议

<html>
<head>
<title>Troubleshooting SafeTP</title>
</head>
<body>

<h1>Troubleshooting SafeTP</h1>


<h2>sftpd (unix server) Installation</h2>

<p>The install script, <tt>sc/install.pl</tt>, should get everything in
order automatically.  However, you may want to verify that.  These are
the things to check:</p>

<ul>
<li><p><b>sftpd's files</b>: The SafeTP executables, and the keys used
    by sftpd during normal operation, should be placed somewhere that
    sftpd can find them.  Something like <tt>/home/safetp</tt> is
    typical:

      <pre>
      root@leetch:/home/safetp# ls -ld . * */*
      drwxr-xr-x   6 safetp   daemon       1024 Nov 13 02:33 ./
      drwx--x--x   2 safetp   daemon       1024 Oct 14 15:21 DSA/
      -rw-------   1 safetp   daemon        444 Oct 14 15:21 DSA/private.key
      -rw-r--r--   1 safetp   daemon        510 Oct 14 15:21 DSA/public.key
      -rw-r--r--   1 safetp   daemon        981 Nov 13 02:33 DSA/public.key.txt
      drwx------   2 safetp   daemon       1024 Oct 14 15:21 ElGamal/
      -rw-------   1 safetp   daemon          1 Oct 14 15:21 ElGamal/KeyStrength
      -rw-------   1 safetp   daemon        401 Oct 14 15:21 ElGamal/private.key
      -rw-------   1 safetp   daemon        269 Oct 14 15:21 ElGamal/public.key
      -rw-------   1 safetp   daemon         11 Oct 14 15:21 ElGamal/timestamp
      -rwxr-xr-x   1 safetp   daemon      84436 Nov 13 02:33 addent*
      drwx------   2 safetp   daemon       1024 Nov 11 04:25 kerb/
      -rwsr-xr-x   1 safetp   daemon     607910 Nov 11 04:25 kerb/kftpd*
      drwx------   3 safetp   daemon       1024 Oct 14 15:21 keys/
      drwx------   2 safetp   daemon       1024 Oct 14 15:21 keys/127.0.0.1/
      -rwxr-xr-x   1 safetp   daemon     202504 Nov 13 02:33 makekeys*
      -rw-------   1 safetp   daemon        448 Jan 12 20:43 randomSeed
      -rwxr-xr-x   1 safetp   daemon     359528 Nov 13 02:33 sftpc*
      -rwxr-xr-x   1 safetp   daemon     288164 Nov 13 02:33 sftpd*
      -rwxr-xr-x   1 safetp   daemon     124016 Nov 13 02:33 viewkey*
      </pre>

    This listing
    has some things you may not have. <tt>kerb/</tt> is for
    <a href="kerberos.html">Kerberos</a> compatibility.
    <tt>keys/127.0.0.1</tt> and <tt>ElGamal/</tt> were
    created during installation as a test, and can be removed.</p>

    <p>The permissions for most files should be as shown above.
    Note particularly <tt>DSA/private.key</tt> and <tt>randomSeed</tt>,
    which should not be readable by anyone but sftpd (which runs
    as the <tt>safetp</tt> user typically).</p>

<li><p><b>inetd config</b>: inetd is configured by two files.</p>

    <p><tt>/etc/services</tt> provides the mapping from port numbers
    to service names.  You should have lines like:

      <pre>
      ftp             21/tcp          safetp
      raw-ftp         351/tcp
      </pre>

    The lines shown map port 21 to 'safetp' and port 351 to
    'raw-ftp'.  See services(5).  Note that some sites are
    configured to use NIS instead of <tt>/etc/services</tt>;
    see ypserv(8).</p>

    <p><tt>/etc/inetd.conf</tt> provides the mapping from service
    names to the commands that run them.  You should have lines like:

      <pre>
      raw-ftp stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -l -i -a -t0
      safetp  stream  tcp     nowait  safetp  /home/safetp/sftpd sftpd -f351 -s -y/home/safetp
      </pre>

    The lines shown run 
    <a href="http://www.wu-ftpd.org/">wu-ftpd</a>
    on port 351, and sftpd on port 21.  In my
    setup, wu-ftpd is run behind TCP wrappers (tcpd); sftpd can be also.
    See inetd(8), ftpd(8), tcpd(8), and <a href="sftpd.html">sftpd(8)</a>.</p>

    <p><b>Note</b>: After you make changes to either <tt>/etc/services</tt>
    or <tt>/etc/inetd.conf</tt>, you must send the HUP (hangup) signal to
    inetd to cause it to re-read its configuration files.  See kill(1).</p>

</ul>

<p>If the install script has failed, you may want to consult
<tt>install.txt</tt> (included in the distribution) for
manual install instructions.</p>


<h2>Testing the ports setup</h2>

<p>If things aren't working, the first step is to verify that each of
the relevant ports is being "answered" by the right program.  For
example:

  <pre>
  scott@leetch:~% telnet localhost 21
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220-leetch.pasture.cow FTP server ready.
  220-*** This server can accept secure (encrypted) connections. ***
  220 *** See http://safetp.cs.berkeley.edu for info. ***
  ^]
  telnet&gt; close
  Connection closed.
  </pre>

From this fragment we can see that sftpd is listening to port 21, and
is successfully connecting to ftpd (because the 220 message includes
the info about wu-ftpd).</p>

<p>Possible problems at this stage include:

<ul>
<li><p><tt>Connection refused</tt><br>
    This would mean that nobody is listening to port
    21.  inetd is probably not configured right.  Check the system
    logs for diagnostics from inetd.  Did you HUP it?</p>

<li><p><tt>Connection closed</tt> (immediately after connect)<br>
    This is caused by
    inetd accepting the connection, but failing to execute sftpd.
    Possible causes include an incorrect path in inetd.conf or a
    problem finding needed shared libraries.  Try running sftpd from
    the command-line <a href="#sftpdCmdLine">(see below)</a>.  Or,
    if you're running sftpd behind TCP wrappers, tcpd may have
    disallowed the connection; see the system logs and tcpd(8).</p>

<li><p><tt>510 connect: Connection refused (code 111)</tt><br>
    This means
    that sftpd started ok, but failed to connect to ftpd.  Check the
    system logs, and/or try to connect to ftpd directly
    <a href="#ftpdTelnet">(see below)</a>.</p>

<li><p><tt>510 Assertion failed: FTP server immediately closed connection; it's
    probably disabled, file sftpd.cpp line 573</tt><br>
    sftpd was able to connect to ftpd, but then ftpd immediately closed
    the connection.  This could be because inetd failed to execute ftpd.
    Or, if you're running it behind TCP wrappers, because tcpd decided
    not to allow the connection.  The system logs should have more
    detailed information.</p>

</ul></p>

<a name="ftpdTelnet"></a>
<p>We can also investigate ftpd itself:

  <pre>
  scott@leetch:~% telnet localhost 351
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 leetch.pasture.cow FTP server ready.
  ^]
  telnet&gt; close
  Connection closed.
  </pre>

Again, possibilities include connection-refused or connection-closed.
A problem at this stage is not related to sftpd.  Check the documentation
for ftpd and inetd, and tcpd if you're using it.  Until you can manually
telnet to ftpd and get a 220 response, sftpd won't be able to, either.</p>


<h2>Try it with sftpc</h2>

<p><a href="sftpd.html">sftpc(1)</a> is the unix command-line SafeTP
client.  Try using it to connect to sftpd:

  <pre>
  scott@leetch:~% sftpc localhost
  sftpc version 1.40
  Connected to localhost (127.0.0.1, port 21).
  220-leetch.pasture.cow FTP server ready.
  220-*** This server can accept secure (encrypted) connections. ***
  220 *** See http://safetp.cs.berkeley.edu for info. ***
  Starting negotiation...
  Public key for 127.0.0.1: SafeTP at leetch.cs.berkeley.edu [10/14/1999]
  235 Security data exchange complete.
  211 DIGT=uh9Iqi/mtOZUSbnuMqBlRGVdA+s=
  Negotiation completed.
  200 The PBSZ is ok.
  200 Data channel protection set to 'private'.

  User name (Enter = scott)?
  </pre>

If this works, log in, and issue the "test" command.  This will test
many features of sftpc and sftpd, including transfers under all
combinations of data encryption on/off and passive/active mode.
If it works locally, but you're having problems connecting from a
remote site, build sftpc there and try it from the remote site.</p>

<p>Ideas for experimentation:
<ul>
<li>Try the -d switch.  It will cause sftpc to print much more
    detailed diagnostics.
<li>If only one of passive or active mode works, there may be
    a problem with a firewall blocking connections.  See
    <a href="http://safetp.cs.berkeley.edu/firewall.html">Notes on Firewalls.</a>
<li>If it only works with data encryption turned on, ftpd may
    be unhappy making 3rd-party connections.  See the description
    of the -3 switch in <a href="sftpd.html">sftpd(8)</a>.
<li>Other command-line switches are documented on the
    <a href="sftpd.html">sftpc(1) man page</a>.
</ul>


<a name="sftpdCmdLine"></a>
<h2>Try running sftpd from the command line</h2>

<p>From the command line you can interactively try things much more easily
than with inetd, and see diagnostic messages on the console.  However,
sftpd will only handle a single connection when run this way, so it's
only useful for debugging.</p>

<p>Be sure to tell sftpd where to look for its keys, by supplying the
-y switch.  You can create keys using the 'makekeys' standalone
program.  See <a href="sftpd.html">sftpd(8)</a> for more info on command-line
options.</p>

<p>Example command line:
  <pre>
  scott@leetch:~/sftpd% ./sftpd -p3333 -f351 -y/tmp/scott
  </pre></p>

<p>Ideas for experimentation:
<ul>
<li>sftpd doesn't have to run as a privileged user if you have it
    listen to a nonprivileged port (>1024).
<li>If you want to try it with sftpd listening to port 21, comment-out
    the conflicting line in inetd.conf (if any) first, and HUP inetd.
<li>The -d1 switch will yield additional diagnostic output.  -d2 gets
    even more.
</ul>


<h2>Trouble with the Windows client</h2>

<p>The Windows client has
<a href="http://safetp.cs.berkeley.edu/safetpc.html">its own documentation.</a>
However, one key fact is that the Windows client only secures connections
to specific ports -- currently limited to ports 21, 353 and 2123.  If you're
troubleshooting problems with the client, be sure to run sftpd such that
it listens to one of these ports.</p>


<h2>General tips</h2>

<ul>
<li>Check the system logs.  All the daemons (inetd, ftpd, and sftpd) should
    be reporting failures to the logs (see syslogd(8)).
</ul>


<h2>If all else fails</h2>

<p>If you can't get it working,
<a href="mailto:smcpeak@cs.berkeley.edu">email me</a>!
Send me:

<ul>
<li>Info about your platform: OS, processor, etc.
<li>Your inetd configuration; excerpts are fine.
<li>A description of the problem, including any error messages.
    Cut+paste from a console window is ideal.
<li>Output from sftpd -d2.  You can use the -o and -l switches
    to send this to a file if you're running sftpd from inetd.
<li>Output from sftpc -d -a, if you can reproduce the problem with
    sftpc.

    Example of sftpd/sftpc test (using tcsh/csh), assuming the regular
    <code>ftpd</code> daemon is now on port 351:
      <pre>
      safetp@myhost% sftpd -d2 -p3333 -f351 -y/home/safetp >& sftpd.log &

      anybody@anyhost% sftpc -d -a myhost 3333
      [then capture the screen output using cut & paste]
      </pre>


<li>The debug log from the Windows client, if the problem only
    shows up there.  Logging is turned off by default in the
    Windows client; see
    <a href="http://safetp.cs.berkeley.edu/safetpc.html">its documentation</a>
    for info on turning it on.
</ul></p>


</body>
</html>