[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SafeTP RAQ installation

Subject: Re: [cobalt-users] SafeTP RAQ installation
From: Kul <WebMaster@xxxxxxx>
Date: Tue Apr 10 16:08:02 2001
Organization: Qax
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

We have tested/installed on 2 x Raq3's, any takers for other cobalt boxes ?

Steve Bassi and I have been having some good fun with this all night, and its now fully working, and we have only a
couple of amendments to make,
I recommend you follow this version and not the previous post, as we have discovered an extra thingy to add to this to get it to DENY access to normal FTP, making FTP Secure and ONLY Secure.  Which is what we want ! (No more Plain Text Passwords through FTP)  - You can even tell your customers, that they can encypt the actual DATA that is sent too!  Very cool......


**********
* SafeTP *
**********

SafeTP is a security application for Windows and UNIX users who use FTP (File Transfer Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers. The traditional FTP protocol is highly insecure: it sends passwords in the clear. For this reason FTP has been recognized as one of the largest remaining security liabilities in most UNIX systems.

The key advantage of SafeTP is transparency. When SafeTP is installed, any ordinary Windows FTP client automatically becomes a Secure FTP client, without any further user intervention. SafeTP intercepts outgoing FTP network connections, and encrypts the traffic before relaying it to the network.

SafeTP operates by installing a transparent proxy in the Windows networking stack which detects outgoing FTP connections from any Windows FTP client, and silently secures them using modern cryptographic techniques (the server must also support SafeTP in order for a secure connection to be succesfully established). SafeTP is 100% compatible with existing (insecure) FTP servers, and will operate in an insecure mode if the server does not yet support the SafeTP protocol. One key feature of the SafeTP client proxy is that it was designed to be completely transparent to the client FTP application. This way, users can reap the benefits of FTP security, while continuing to use their existing FTP software.



You have to fill in a from at Berkeley
 http://www.cs.berkeley.edu/~bonachea/safetp/form.html from here they email
you a link to download the programme.

Once  you have the link, which looks something like this
 http://re.cs.berkeley.edu:xxxx/xxxxxxxx-sftpd.tar.gz
(I havent put the actual URL cos Berkeley asked me not to.) wget the link from your /home/sites/home/users/admin directory.
 cd /home/sites/home/users/admin
 wget "the link you get in your email !"
Be carefull here, as they ONLY alow you to download it ONCE !!!


Now become root.
su
(password)

adduser safetp
tar -xvzf sftpd.tar.gz
cd sftpd-1.46
./configure
make
make check
sc/install.pl      #this runs the following install script
Are you ready to begin? [y]
  > (hit return for above default entry)

What is the name of the user that sftpd should run as? [safetp]
  >  (hit return here unless the user name you used above is different)

Your DSA public key will include a descriptive name, called its
"brand", that users will see when they connect to your server.
This string should be something users will recognize.  What brand
would you like? [SafeTP at www.Yourdomain.com]
  > (hit return if the default is ok or add your own entry)
  - it should detect the domain correctly and automatically

Where are the SafeTP binaries, such as 'sftpd',
located now? [.]
  > /home/sites/home/users/admin/sftpd-1.46
(again change this if you installed in a different directory)

Where should the SafeTP binaries be placed for ongoing use?  Since
many network file system protocols, such as NFS, are insecure, this
should be on the local machine which will run the SafeTP daemon.
[/home/safetp]
  > (hit return for above default entry)

For user convenience, I can put symlinks to the SafeTP binaries in some
conventional place.  Where should I put these symlinks?
[/usr/local/bin]
  > (hit return for above default entry)

Where should I put the DSA server keys?  It is imperative that the
directory specified here be on the local machine, because if the
server keys are sniffed then SafeTP is compromised.  (Note also that
you need to think carefully about how/whether these keys are part
of any automatic backup procedures.)
[/home/safetp]
  > (hit return for above default entry)

To which port should I move the existing FTP daemon?  Since SafeTP uses
this daemon, you can't just remove it entirely.  [351]
  > (hit return for above default entry)

Which port should SafeTP listen to?  Normally you should make SafeTP
listen to port 21, the default FTP port.  However, if for some reason
you want it to listen to a different port, 353 is the recommended
alternative.  [21]
  > (hit return for above default entry)

Do you want SafeTP to accept unencrypted connections as well as
encrypted connections?  It makes the transition path easier for
users but also eliminates the forcing function for them to switch
to using SafeTP.  Accept unencrypted?  [n]
  > (hit return for above default entry)

The current argument string to sftpd is:
  sftpd -f351 -s -y/home/safetp -9
You can enter additional arguments here if you want:
  > (hit return for above default entry)

After installing, do a full (interactive) test? [y]
  > (hit return for above default entry)

After install, should I add a blurb to /etc/motd telling users
that SafeTP is installed? [y]
  > (hit return for above default entry)

When I modify system files, I will tag the modifications with the name
of the admin responsible.  What tag should I use?
  > (enter whatever you like here - I put stevebassi)

The next prompt is:

Instructions:  I'm about to start sftpc so you can test it.
You need to give four responses:
    username: any valid user name on this system
    password: the corresponding password
    sftpc> test      (at first sftpc prompt)
    sftpc> quit      (at second sftpc prompt)
When ready, hit Enter:
  > (hit enter to continue)

  User name (Enter = safetp)? admin
  331 Password required for admin.
  Password:
  sftpc> test
there will be a lot of activity here - wait for it to finish
have a beer and a fag or two, walk the dog.....
  sftpc> quit
full test: SUCCESS!

And that is all there is too the main part of the installation.



Our New Bit:
===========

If you would like to completly disable FTP from being able to be accessed IN-securley (you should have already chosen that above), you will need a couple or three minor alterations to some file (its easy):

 pico -w /etc/inted.conf

Scroll down to this, and check this line is commented out: (obviuosly yours will slightly different to mine)

 # These are standard services.
 #
 # (removed by SafeTP install 04/11/01 Kul) ftp  stream  tcp     nowait  root    /usr/sbin/tcpd  in.proftpd

then scroll to the very bottom, and check you have this, if not, change it to be EXACTLY this: (excluding the date and my name)
 #
 # added by SafeTP install 04/11/01 Kul
 #
 raw-ftp stream  tcp     nowait  root    /usr/sbin/tcpd  in.proftpd
 safetp  stream  tcp     nowait  safetp  /home/safetp/sftpd sftpd -f351 -s -y/home/safetp -9


Now you need to edit this file:
 pico -w /etc/hosts.deny

and add this to the bottom:

 in.proftpd : ALL


Now you need to edit this file:
 pico -w /etc/hosts.allow

and add this to the bottom: (replace nnn.nnn.nnn.nnn with your Raq's IP)

 in.proftpd : nnn.nnn.nnn.nnn, 127.0.0.1

Now you you have finished all your editing, you now need the initd to be reloaded, this can be acheived by running this command:

 kill -HUP `cat /var/run/inetd.pid`


Or if you really want, you can restart your server, but its not necassary.

If you do restart your server, all these alterations we have made will remain, and everything will continue to function (well ours did <g>)




Ohhh, and in your GUI, you will notice that FTP is now sitched OFF, and you can NO-longer switch it ON, this is how its supposed to be!




For your PC or customers PC FTP client to work you will need to download the following and install on your PC.  if you use windows.
 http://www.cs.berkeley.edu/~smcpeak/SafeTP/safetpc.html

Sorry there is currently no MAC client.

I suggest you read up all there is at
 http://www.cs.berkeley.edu/~smcpeak/SafeTP/index.html
as there also some add on patches that some of you may find useful


I have tried it on my system and it really seems to work well.

Best Regards

  Steve Bassi

And I have tried it on mine, and it works even better with the new additions.....
 Kul

SteveBassi & a little help from Kul

Follow-Ups:
- RE: [cobalt-users] SafeTP RAQ installation
  - From: Landon Jenkins
- Re[2]: [cobalt-users] SafeTP RAQ installation
  - From: Pierre Chopot

References:
- [cobalt-users] SafeTP RAQ installation
  - From: Landon Jenkins
- Re: [cobalt-users] SafeTP RAQ installation
  - From: Steve Bassi

Prev by Date: [cobalt-users] Usage Reports are not generated for home site
Next by Date: Re: [cobalt-users] Usage Reports are not generated for home site
Previous by thread: Re: [cobalt-users] SafeTP RAQ installation
Next by thread: RE: [cobalt-users] SafeTP RAQ installation

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index