sftpd.todo.txt

伯克利做的SFTP安全文件传输协议

TODO list for sftpd
-------------------

 - implement 959-compat-mode relay to circumvent problems with
   control channel IP different from data channel IP; include
   handling of -i for this mode

 - both sftpc and sftpd: do a review of all xasserts to see which ones
   might be caused by protocol-stream or user interaction (as opposed
   to 'impossible' conditions)

 - improve the way makekeys chooses where to put server keys.  had the
   problem where the install script put them into /home/safetp but
   calling makekeys interactively puts them into /tmp/safetp (and hence
   they are not used)

 - look at SSL ftp apps (e.g. ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/)
   and see if SafeTP can dispatch SSL connections to them

 - better logging, in particular to correlate IP and file transfer

 - when activating kerberos, kill ftpd first

 - kerberos same as anon exec?  i.e., no patch necessary?

 - access restrictions by ip and username?  esp. for nt...

 - HUP to reopen log file

 - actual configuration file instead of endless cmdline options..

 - misc/testinstall doesn't work on OSF because of chown thing

 - install script: check that binary dest is a dir

 - accept commented-out ftp line?

 - xinetd..

 - something like -c but for integrity-only .. ?


Can't reproduce / need more info
--------------------------------

 ? figure out why removeNBO32 sign-extends its result...
   - it causes blokutil to report a failure..
   ?: on what system?

 ? add note about Kerberos if the -K flag is specified
   ?: add note to what?

 ? look at "const" for
           char const *argString = argv[a] + 2;
   in SFTPD::innerRun (apparently is a problem on Solaris)
   ?: where is problem? atoi? fopen?


Untested
--------

 * datablok shouldn't print 64 bits for crc32 on 64 bit machine
   done: added something that should do it, but isn't tested


Decided not to do
-----------------

 x support ccc and investigate whether this improves firewall issues;
   talk to Dan about client-side support
   no: we implemented something else


Finished
--------

 - install script should just check for root always, rather than
   it being a state

 - auto-configure.. basic tasks:
   - link Makefile. to one of the platform-specific makefiles
   - find gmp, or tell user to make it, and create symlink if necessary
   - setup install.pl to point to where the binaries will be built

 - fix the test (dsa?) that spews so much garbage.. only spew when
   something is wrong!

 - add note to not include ~safetp in backups, unless they don't go over
   network (insecurely) and the backup tapes are themselves secure

 - add new URL to 220 message

 - install.txt error: 'test', 'ptests', 'ptest'

 - install.pl: problem with brace expansion and process identification on
   solaris (with /bin/ps instead of /usr/ucb/ps).

 - update trouble.txt, and maybe write as HTML; add my email to remind
   people!

 - options for forcing sftpd to report its IP as something different (for
   when it's behind a masquerading firewall), and for contacting ftpd
   on a specified IP (mainly for using 127.0.0.1 if people want to and
   ftpd is ok with it)

 - (clients too) support for integrity-only data transfers

 - switch for forwarding to localhost; or, more general forwarding option
   (including remote)

 - make veryclean should delete testconfig/

 - update docs to mention that by default 959 is not allowed

 - have an option to require most connections encrypted, but anon ftp
   unencrypted

 - mention in install docs how to secure ftpd from nonlocal access

 - switch to GMP 3.x since it's faster

 - near-EOF connection-reset bug?!

   cause: ftpd times out its control connection *during* a data transfer.
   It doesn't realize it's timed-out until it closes the data channel after
   sending the last byte, then immediately closes the control channel.
   However, since sftpd is busy encrypting and sending the data, it doesn't
   check the sockets until they're both closed (though file data is still
   waiting in the OS buffer between ftpd and sftpd).  When it goes back to
   select(), it sees the closed control channel, and immediately exits,
   losing the remainder of the data.

 - install program should not replace existing server keys
   (and uninstall should probably not delete them)

 - kerberos passthru when GSSAPI detected

   feasible??

 - check for keys on startup

 - lots of fixes to install.pl on Solaris from <darkgrue@iname.com>,
   including brace and ps stuff

 - ability to force data encryption at server

 - fix trans.cpp so it stops after first error

 - when client requests nonexistent file (at least on hp-ux), we get a
   spurious "510 recv: Connection reset by peer"; there's some kind of
   race condition, because now I can't reproduce it... (much (a year)
   later) found the problem: after a failed e.g. RETR, the data-channel
   sockets are still connected, and on the next command the client tries
   to open a new conn (which works though leaks sockets) and server tries
   to close old conns (which causes the error), and they race

 - support FreeBSD

 - open -o log file in append mode

 - ability to bind restricted set of ports for PASV

 * initial configure test for linking with gmp, where -lgmp is
   considered as a way instead of libgmp.a
   done: and -lgmp is already tried..

 * detect when reading /dev/random hangs b/c of misconfiguration

 * detect potential infinite loop if contact port == relay port

 * make sure that "make check" in a clean dist will work the same
   as "make && make check"

 * legal notices re GMP.. ?  disclaimers.. :(  export.. :( :(

 * firewall data channel
   - let firewall see port command
     - response to unencrypted could be a fake ok after negotiation
     - resp to unenc PASV is same port, unenc
       - maybe only allow fire-wall friendly for active

 * add ln -s stuff for Solaris?
   done: taken care of with a ./configure message

 * configure script should test a small GMP program to
   make sure we've got *something* that works

 * ./configure: detect need for -fhandle-exceptions

 * global rename of LITTLE/BIG_ENDIAN

 * add warning about killall to install.txt
 
 * edit the man page for sftpd, change description of install script

 * switch for binding port 20 locally for outgoing data conns?
   done: -R does it a little more generally