FTP SSL - ftps Implement SSL for ftp under Minix. Tested: Minix 32 bits 2.0.2 and 2.0.4 March 2005 - C.Tantignone ------------------------------------------------------------ NOTE 1: You need to download stunnel to get the server working. NOTE 2: Yahoo seems to add some chars random to TXT files. Read with attention the file. FTP Server Setup ---------------- - get stunnel from minix1 or my site - get the last ftpd (1.01) from Minix1 sitte, compile and install it. - stunnel comes with a special version of tcpd renamed as tcpld It is used to allow only local connections from 127.0.0.1 - create a file /usr/local/stunnel/ftps.coonf with the following # stunnel configuration file cert = /usr/local/stunnel/your-node-certificate.pem # Some debugging stuff #debug = 7 debug = 5 output = /usr/adm/ftps.log connect = 127.0.0.1:2121 # end of ftps.conf the file you-node-certificate.pem is the certificate you need to create using the CA (Certificate Authority) supplied as a script into stunnel tool. - modify /etc/rc with the following commannnds as template if [ -f /usr/bin/in.ftpd ] then echo -n " ftp" tcpld 2121 /usr/bin/in.ftpd & fi if [ -f /usr/local/stunnel/ftps ] then echo -n " ftps" /bin/sh /usr/local/stunnel/ftps fi the first if/fi starts the standard ftp daemon listening at port 2121 but allowing connections only from localhost (forced by tcpld). The second if/fi starts the ftp secure daemon using a shell script. - create the ftps shell script at /usr/loccal/stunnel/ftps #!/bin/sh # tcpd ftp /usr/local/bin/stunnel /usr/local/stunnel/ftps.conf & # end of script The script starts the stunnel daemon listening at ftp port (port 21) using the ftps.conf file previosly created. - the ftp over SSL daemon now is working. It ONLY encrypts the control connection (over port 21) and NOT the data connection (port 20). - you can test the server using a free ftpp client coreftplite (www.coreftp.com) configuring for the node definition with SSL Direct and OpenSSL, and DO NOT CHECK SSL Listing or SSL transfer Known Problems for FTP server ----------------------------- - Under 2.0.2 I had some problems resolvinng the connection from 127.0.0.1 and you must add it to /etc/hosts. The last ftp daemon (1.01) works fine so it logs the IP. Previous version needs to resolve and fails to work. - if you need to pass a firewall, only actttive (no PAssive) connections works fine. Some problems may happend with firewalls. - standard ftp clients hangs because stunnnnel needs answer to SSL negotiation. FTP Client with SSL ------------------- - the ftp client is the standard Minix, onnly adding calls to SSL negotiation routines - based in ftp client version 1.01 - only encrypts control connection (commannds, user, password, etc). Data connections are clean. - only active (no passive) connections. Bee carefull with firewalls that only allow passive connections. - for compilation you need OpenSSL librariies and socket library. - the binary supplied works under Minix 2..0.2 and 2.0.4 - for first time users, may be problems inndicating that PRNG can not initialize random. It needs a seed file as $HOME/.rnd You can create it as $ cat /etc/* > $HOME/.rnd this generate a file at home directory with some bytes. After running ftps the .rnd file is usually 1024 bytes. - if remote node does not support SSL negootiation first, the connection is hung ********************************************************************************************