|
|
| What the heck is sftp? |
|
sftp is a package developped by Brian Wellington. The project's home
page is http://www.xbill.org/sftp. sftp is
usable for people that want to do secure file transfer. Furthermore,
since it runs over an ssh channel, it is also usable for people that can
access a machine only through an ssh connection.
The sftp package consists of an sftp server that runs on the host
machine and a client program that retrieves the files.
|
|
| Where is the connection between jftpgw and sftp? |
|
A great disadvantage of the FTP protocol is the fact that FTP depends on
a control connection (commands and server responses) and a data
connection (the real data or directory listings). Even worse, the port
numbers of the data connection don't use a well known port but instead
for each data transmission a new connection with new port numbers is
established. A lot of firewall experts have thought about how to secure
a firewall on the one hand and allow users to use FTP on the other hand
but that is a very difficult task.
Now sftp could solve that problem: You use sftp to get the files and
jftpgw to talk to the sftpserv program on the host machine through the
standard FTP commands. That way you get the choice of the client and,
furthermore of the OS the client runs on.
| |
| What do I need to setup an sftp server and an sftp client? |
- jftpgw v0.0.9 or higher on the proxy machine
- ssh on the proxy machine
- An ssh account on the target machine
- Key authorization of ssh so that you can ssh from the proxy
machine into the target machine without supplying a password
- Static binaries for
anonymous sftp-support
- A regular FTP program to transfer the files
|
|
| How to setup jftpgw with sftp support |
Okay, now, how to set up a basic configuration: First, compile jftpgw
with the --enable-sftp flag passed to the configure-script. Thereafter
test the ssh account. Log in on the proxy machine you want to run jftpgw
and ssh to the targetmachine. You need to be able to do ssh and you need
a password free account (that means key authorization. There is a
nuissance in the ssh program: It reads the password from /dev/tty and
not from its standard input. If anybody knows how to really read the
password portably, please tell me). To enable key authorization
do the following: On the proxy machine, issue a
cat ~/.ssh/identity.pub
and cut'n'paste (or do scp and attach or or or...) it at the end of
~/.ssh/authorized_keys on the target machine. Thereafter ssh from
the proxy machine to the target machine should work without you having
to supply a password.
Now, configure jftpgw.conf. jftpgw now could go without a
password from proxy machine to target machine, but it would break the
user/password concept if you wouldn't have to specify a password to
jftpgw. Therefore look out for the ssh-passwd option in the
jftpgw.conf file. You specify a password for a given user name there.
The password is crypt()ed so that you cannot read it if you look at the
config file. You can make jftpgw to produce a crypt()ed version of your
password with the command jftpgw --encrypt.
If you need to set up special options for ssh to get from proxy machine
to target machine (like -p <portumber>), specify them in
jftpgw.conf with the ssh-options option.
Now, on the targetmachine, you must be running sftpserv. Just compile a
jftpgw there and cd into the ./support/sftp-0.9.4/ directory. The
sftpserv program is executed when jftpgw logs in with ssh (it issues an
"ssh targetmachine sftpserv" to execute sftpserv on the target machine).
That's why you must copy it to some binary directory that is in the
$PATH environment variable or you may change the SFTPSERV_PATH define in
the config.h file of the jftpgw package and recompile.
Now jftpgw is set up, start it and test it. Therefore open an FTP
session to the proxy machine and the portnumber you specified in the
bindport option and log in with user@targetmachine,s. The
",s" is necessary for jftpgw to recognize that you don't want to
use normal ftp (",p" for passive FTP, ",a" for active FTP) but an sftp
connection.
This is all setup I remember now :-)
|
|
| Is it possible to set up an anonymous account for transfering files with the sftp support? |
|
I wouldn't spend an extra paragraph to this if not! :-)
There is some more to configure though. The basic idea is to specify a
login shell that only allows ssh to execute "sftpserv". Then, sftpserv
gets executed and changes its root directory to the anon-ftp
directory.
To get sftpserv to do this it has to be setuid-root. Open sftpserv.c in
the editor of your choice, and change these two lines to the values that
fit your configuration (and recompile):
#define ROOT_DIR "/store/ftp"
#define IDENTITY_ID 2002
#define IDENTITY_GID 65534
ROOT_DIR is the directory that becomes the root directory for the
anonymous user, IDENTITY_ID and IDITITY_GID are the UID and GID values
that sftpserv adopts (Please remember to set the file
permissions/ownerships so that the whole permission concept fits)
I have included a special "pseudo-shell" in the support/sftpservsh
directory. It is called sftpservsh and ony allows only to be called with
"-c sftpserv" as parameters. If not, it exits and if so, it replaces itself
with the sftpserv process. You may have to change
execvp("/usr/local/bin/sftpserv", argv_sftpserv);
in support/sftpservsh/sftpservsh.c to the PATH sftpserv is located on
your machine. Now you only need one further thing: Since we changed
the root directory we don't have access to shared libraries. jftpgw
internally calls 3 programs, these are the bash (or sh), grep and ls.
I've included them into a tar.gz
archive for static binaries. I've only had an old RedHat 5.1 CD here
when I did the static compilation, so the versions are quite old, but
they work:
mcknight:~> ./bash -version
GNU bash, version 1.14.7(1)
mcknight:~> ./ls --version
ls (GNU fileutils) 4.0
mcknight:~> ./grep -V
GNU grep version 2.0
Of course you can also compile them for yourself (don't forget to add a
symbolic link named "sh" to "bash"), please tell me if you
have newer versions then :-)
Create a bin/ directory in the ROOT_PATH directory and put the
binaries there.
This is all setup I remember now :-)
|
|
|
|