tech-net: TLS/SSL encryption for ftpd(8)

Subject: TLS/SSL encryption for ftpd(8)
To: None <tech-net@netbsd.org>
From: Tomas Svensson <tsn@gbdev.net>
List: tech-net
Date: 03/11/2002 02:48:23
I decided to add support for "Secure FTP using TLS" to NetBSD's
ftpd(8). To avoid confusion: this is _NOT_ SFTP, SCP, SAFETP, SRP nor
FTPS. I think the implementation is quite complete (but there can
ofcourse be a lot of things added, like more fine grained policy
rules and support for systems without /dev/urandom).

It supports what is now considered to be the proper way of doing
TLS/SSL over FTP: Connect to port 21 and use "AUTH TLS" or "AUTH
TLS-C" to ask for TLS/SSL negotiation without implicitly protecting
the data connection (this is achieved with the "PROT P" command). It
also supports "AUTH SSL" to work with legacy implementations which
implies protected data connections (for example WS_FTP).
"FTPS" (connect to port 990 and immediately try to eshtablish a
TLS/SSL connection) is not supported as this is now considered bad.

It works fine with all clients I've tested it with so far, which are:

NetBSD ftp(1)       (*)
NcFTP 3.1.2         (*)
Windows Commander 5 (*)
CuteFTP Pro 2.0
WS_FTP Pro 7.04
(* = using my client wrapper that enables any client to use TLS/SSL)

The fastest transfer speed I got was 3.1 megabytes/sec (NetBSD
ftp+wrapper, RC4-128bit-SHA), but this was on my K6-2 500 Mhz and
using a selfmade UTP cable as the network so I'm sure it can be faster
in other environments. The slowest client was WS_FTP which I barely
could get 250 kilobytes/sec with (using 168 bit 3DES).

New or changed options for ftpd(8):

-k      Enable the ``Secure FTP over TLS'' security mechanism.

-K pemfile
        Define the RSA pem file to be used by the server when using the
        TLS security mechanism. This file must contain both a certificate
        and a private key. Defaults to /etc/ftpd.pem.

-m cipherlist
        Specify the list of allowed TLS ciphers. Defaults to ``ALL''.

-s      Require a secure authentication mechanism like Kerberos, S/Key or
        TLS to be used.

The current version of the patch can be found at:

http://simba.unix1.net/netbsd/ftpd-tls.diff
        
Quick Installation:

cd /usr/src/libexec/ftpd ; patch </path/to/ftpd-tls.diff ; make ; \
make install

then get the sample OpenSSL config file from
http://simba.unix1.net/netbsd/ftpd.cnf and make a certificate and a
key with:

openssl req -new -x509 -days 365 -nodes -config ftpd.cnf -out \
ftpd.pem -keyout ftpd.pem

and:

mv ftpd.pem /etc; chmod 600 /etc/ftpd.pem

then add 'k' to the list of ftpd arguments in inetd.conf and restart
inetd.

-Tomas