[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ANNOUNCE: SSL/TLS ftp

To: ftp-wg@xxxxxxxxxxx, ietf-apps-tls@xxxxxxx
Subject: ANNOUNCE: SSL/TLS ftp
From: "Peter 'Luna' Runestig" <peter@xxxxxxxxxxxx>
Date: Thu, 27 Jul 2000 13:31:55 +0200
List-archive: <http://www.imc.org/ietf-apps-tls/mail-archive/>
List-id: <ietf-apps-tls.imc.org>
List-unsubscribe: <mailto:ietf-apps-tls-request@imc.org?body=unsubscribe>
Sender: owner-ietf-apps-tls@xxxxxxxxxxxx

This is to announce a unix implementation of ftp with SSL/TLS according
to the "draft-murray-auth-ftp-ssl-05.txt" IETF draft, which describes
the AUTH TLS, PBSZ 0 and PROT P ftp commands. It uses the OpenSSL
toolkit <http://www.openssl.org/>. There is actually two server imp-
lementations and one client:

The first server is based on the ProFTPD ftp server
<http://www.proftpd.net/>. It also has support for SSL/TLS-based user
authentication. Tested on Linux and OpenBSD, test reports on other
systems welcome! Available at:
ftp://ftp.runestig.com/pub/proftpd-tls/

Since everyone didn't feel comfortable running proftpd on their servers,
there's an alternative. I have made a port of the OpenBSD 2.7 ftpd
server and added the TLS code. For Linux, I have added shadow password
file support, but note that there's no PAM support (yet anyway). Tested
on Linux and OpenBSD, test reports on other systems welcome! Available
at:
ftp://ftp.runestig.com/pub/ftpd-tls/

X509 client authentication
--------------------------
Support for user authentication is possible through the custom function
int x509_to_user(X509 *peer_cert, char *userid, int len) in the file
x509_to_user.c, and by a .tlslogin file in the user's home directory.

o tls_userid_from_client_cert() is called and returns a user id or
  NULL. tls_userid_from_client_cert() calls the site specific function
  x509_to_user().

o If the user name, set by the USER command, equals the user id mapped
  from the client cert, the user is logged right in.

o If "USER" differ from the user id mapped from the client cert the
  function tls_is_user_valid() is called to check "USER"'s ~/.tlslogin
  file. That file, if it exist, contains one or more X509 certificates
  in PEM format. If the client cert is present in the file, the user is
  logged right in.

o If tls_userid_from_client_cert() can't map a user id from the client
  cert, tls_is_user_valid() is called to check "USER"'s  ~/.tlslogin
  file. If the client cert is present in the file, the user is logged
  right in.

The client is based on the ftp client code in OpenBSD 2.7
<http://www.openbsd.org/>. Tested on Linux and OpenBSD, test reports on
other systems welcome! Available at:
ftp://ftp.runestig.com/pub/ftp-tls/

Cheers,
Peter
-- 
Peter "Luna" Runestig (fd. Altberg), Sweden <peter@xxxxxxxxxxxx>
PGP Key ID: 0xD07BBE13
Fingerprint: 7B5C 1F48 2997 C061 DE4B  42EA CB99 A35C D07B BE13

Gubben Movitz ler och nickar, / men från Charons mörka sund
dödens blund / i dina blickar / bådar snart din sista stund.
Carl Michael Bellman, Fredmans epistel nr 34

Prev by Date: request for information.
Next by Date: draft-hoffman-rfc2487bis-03.txt
Previous by thread: request for information.
Next by thread: draft-hoffman-rfc2487bis-03.txt
Index(es):
- Date
- Thread