DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th March 2021
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default how i can install the ftp server in OpenBSD?

i want to install a ftp server(ftpd) on my OpenBSD server(with pf).
i didn't found any easy document for this.

so how can i correctly install and config(secure) ftpd on my server?
do you have any reference?
Reply With Quote
  #2   (View Single Post)  
Old 19th March 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  • There is an ftpd(8) man page.
  • The ftpd(8) daemon can be provisioned, started, or stopped with rcctl(8).
  • There is a chapter in the FAQ specific to the limitations, special considerations, and PF configuration issues concerning ftpd(8). See http://www.openbsd.org/faq/pf/ftp.html
Reply With Quote
  #3   (View Single Post)  
Old 19th March 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

What kind of services does the ftp server have to provide?

If the main purpose is to allow the public to download files, and not upload them, you will be better off by configuring the httpd(8) webserver to serve them.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 20th March 2021 at 01:12 AM.
Reply With Quote
  #4   (View Single Post)  
Old 20th March 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

jonsec has already deployed httpd(8) and sftp(1) services (e.g.: here and here). My guess is this is a different use-case.
Reply With Quote
  #5   (View Single Post)  
Old 22nd March 2021
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

thanks all.

i want to moved some important files to my OpenBSD Server.
i am currently using sftp. but seems sftp is slow and i want to use ftp.

Note : my files is encrypted.(so a safe tunnel is not important)


do you have a solution for better speed?
Reply With Quote
  #6   (View Single Post)  
Old 22nd March 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

In situations where I am unable to use sftp(1) for file transfer, I usually use nc(1).
Quote:
Originally Posted by jonsec View Post
...so a safe tunnel is not important...
You may not realize that with FTP, the userid and password are transmitted in plaintext. So, if you must deploy FTP, please give consideration to using the skey(1) one-time-password authentication method to mitigate this security risk.
Reply With Quote
  #7   (View Single Post)  
Old 23rd March 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You could try rsync OpenBSD has it's own version called openrsync(1)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 23rd March 2021
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

Quote:
You may not realize that with FTP, the userid and password are transmitted in plaintext
yes. its not safe.

Quote:
You could try rsync OpenBSD has it's own version called openrsync(1)
no. because the source file must be removed after sending.

so my idea for better security & more speed :
- file encryption
- use http protocol & php (httpd)
- use concurrency upload ()
- whitelist for port 80
Reply With Quote
  #9   (View Single Post)  
Old 23rd March 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Are you planning to use HTTP Realm Authentication? If so, HTTP has the same plaintext userid/password security issue that FTP has. You could use HTTPS for session privacy, but TLS requires the same sort of cryptographic performance overhead that sftp(1) has, with the additional provisioning complication of X.509 certificates. Though ... if you do use HTTPS/TLS for session privay you could use client certificates as client authentication, and eliminate the use of Realm Authentication entirely.
Reply With Quote
Old 23rd March 2021
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Quote:
Originally Posted by jonsec View Post
no. because the source file must be removed after sending.
What do you mean? Delete the files after sending like you'd have to for any of the other methods being discussed.
Reply With Quote
Old 24th March 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Considering that your files already are encrypted, you could still use ftpd, but then with S/Key, a a "one-time password" authentication system. See the example for ftp at https://www.openbsd.org/faq/faq10.html#SKey
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 24th March 2021
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Default

Quote:
Originally Posted by jggimi View Post
Are you planning to use HTTP Realm Authentication? If so, HTTP has the same plaintext userid/password security issue that FTP has. You could use HTTPS for session privacy, but TLS requires the same sort of cryptographic performance overhead that sftp(1) has, with the additional provisioning complication of X.509 certificates. Though ... if you do use HTTPS/TLS for session privay you could use client certificates as client authentication, and eliminate the use of Realm Authentication entirely.
Quote:
Originally Posted by J65nko View Post
Considering that your files already are encrypted, you could still use ftpd, but then with S/Key, a a "one-time password" authentication system. See the example for ftp at https://www.openbsd.org/faq/faq10.html#SKey

no HTTP Realm Authentication. But like that.

yes http is not safe like ftp. but are simple algorithm can be used. before i explain this algorithm , keep in mind that pf is exists and source ip is exists in whitelist of destination server.
Algorithm :
the date & time of both server is same. (Year/Month/Day H:M)
so we can create a algorithm like :
from client :
$key = md5('Secret Key' . date('YmdHi') . filesize($file));

from server :
$key = md5('Secret Key' . date('YmdHi') . filesize($uploaded_file));

this is a type of one-time password.

Quote:
Originally Posted by TronDD View Post
What do you mean? Delete the files after sending like you'd have to for any of the other methods being discussed.
yes. for example : backup server.

can we implement the concurrency in ftp ? yes (multiple connection).
can we implement the One-Time password in ftp ? yes(S/Key)

so "Web Server + PHP" vs FTP ?

i think if you want to implement the more complex infrastructure , you can use "Web Server + PHP".

ftp uses two port and "user authentication". i don't feel good.

I think in the new world, humans should run "ftp+".
Reply With Quote
Old 24th March 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

In post #6 jggimi suggested nc(1), aka "netcat". Have you considered this? I've used it to move large files around my LAN and it's very fast. You have to set up a receiving process on the target machine, but this can be done via ssh login, so that part is secure. If your file is encrypted, then wouldn't that cover all bases?
Reply With Quote
Old 24th March 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Quote:
Originally Posted by J65nko View Post
Considering that your files already are encrypted, you could still use ftpd, but then with S/Key, a a "one-time password" authentication system. See the example for ftp at https://www.openbsd.org/faq/faq10.html#SKey
You can make it safer by:
  • Only start the ftp daemon when you want to upload files, and stop the ftp daemon when you are done.
  • Use a pf rule to only allow you to use the ftp daemon.
    That means:
    • Only accept a port 21 (ftp command channel) connection from your IP address
    • Only accept ftp data channel connections from your IP address. The port range is defined in the following sysctl settings
      Code:
      net.inet.ip.porthifirst=49152
      net.inet.ip.porthilast=65535
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 25th March 2021
jonsec jonsec is offline
Fdisk Soldier
 
Join Date: Jul 2019
Posts: 71
Thumbs up

Quote:
Originally Posted by J65nko View Post
You can make it safer by:
  • Only start the ftp daemon when you want to upload files, and stop the ftp daemon when you are done.
  • Use a pf rule to only allow you to use the ftp daemon.
    That means:
    • Only accept a port 21 (ftp command channel) connection from your IP address
    • Only accept ftp data channel connections from your IP address. The port range is defined in the following sysctl settings
      Code:
      net.inet.ip.porthifirst=49152
      net.inet.ip.porthilast=65535
hmmm. It is a clever move.

Quote:
Originally Posted by IdOp View Post
In post #6 jggimi suggested nc(1), aka "netcat". Have you considered this? I've used it to move large files around my LAN and it's very fast. You have to set up a receiving process on the target machine, but this can be done via ssh login, so that part is secure. If your file is encrypted, then wouldn't that cover all bases?
oops yes. I did not notice.
nc is simple and good.

i think this thread exited from original content.
i open new thread.
http://daemonforums.org/showthread.php?p=70537

thanks all.

Last edited by jonsec; 25th March 2021 at 09:16 AM.
Reply With Quote
Reply

Tags
ftpd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BEST VNC SERVER FOR OPENBSD rdikarlus OpenBSD Packages and Ports 3 20th May 2019 06:22 PM
pxeboot install from remote server to my LAN chessmaster OpenBSD Installation and Upgrading 16 6th March 2014 02:52 AM
i want to install a voice chat server on openbsd hack2003 OpenBSD Packages and Ports 17 8th April 2011 10:19 PM
How - To install GNOME vile I install OpenBSD ? looop OpenBSD Installation and Upgrading 6 24th April 2010 08:58 PM
move install to new server larger hard drive (raid system) carpman FreeBSD General 16 24th November 2009 10:57 AM


All times are GMT. The time now is 02:35 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick