oftpd: a Secure, Modern FTP Dæmon

FTP dæmons may not get much attention, but what attention they do get is in the form of security advisory after security advisory. There's not much hack value for most people in supporting something as old-school as FTP, so the state of the art has languished—until now. This article will introduce you to Shane Kerr's oftpd, an incredibly simple FTP dæmon that, we think, will start to replace the old, full-featured dæmons currently shipping on (and creating security issues for) Linux distributions everywhere.

Rick Moen, a Linux security guru who is also famous for his ability to install Linux on many obsolete or unusual systems, runs an FTP server mostly as an archive of Linux distributions to install over the network. Boot from floppy, select “Install from FTP” and Bob's your uncle. No need to figure out how to insmod the driver for somebody's ten-year-old 1x CD-ROM drive. (Please, don't everyone go knocking on Rick's door with your VIC-20s and PDP-8s; he gets plenty of challenges from regular installfests and user-group meetings.)

FTP remains useful for three reasons, Rick says. First, FTP provides automatic, informative directory listings, including file modification times, to facilitate mirroring. Second, there's no “index.html” to override a dæmon-generated directory listing in FTP, so it's easy to mirror entire directory trees or grab them with snarf.

Finally, Rick finds that you can get small FTP clients for legacy OSes or special situations where an HTTP client won't fit. For example, Rick used a MacOS FTP client to copy Debian floppies to an old Macintosh with no CD-ROM and insufficient memory for a web browser. People who install a lot of Red Hat or Red Hat-based systems using Kickstart floppies soon find that FTP installs are fast, convenient and let you keep a single software archive up-to-date on the FTP server. You can do the same thing with an NFS (Network File System) install, but FTP is faster.

The qualities people need from an FTP dæmon have changed since the old dæmons were written. First, the days of logging in to an FTP site with a username and password (which get sent in plaintext over the Net) are gone, gone, gone. People are using ssh, scp and other encrypted tools to protect their passwords on the Net when they transfer nonpublic files, so the FTP dæmon no longer needs to authenticate users. Second, performance matters. People aren't just using FTP to get an occasional piece of software or pass along work to colleagues. FTP servers should be prepared to get slammed by many clients all installing an entire Linux distribution at once.

So, the two goals for running a modern FTP server are: for security, simplify both your Policy and FTP dæmon to “anonymous FTP only”, and look for a dæmon that offers good performance. That's what brings us to oftpd.

For security, oftpd runs as a non-root user except for essential setup tasks. It runs “chrooted” to the public FTP directory. These features buy you a lot, security-wise, and an old-fashioned FTP dæmon that allows users to log in with a username and password that can't match it. For simplicity and performance, oftpd itself generates directory listings instead of running ls.

The first step in setting up oftpd is to get rid of the old ftp entry in inetd.conf. The FTP dæmon that probably came with your Linux distribution gets run by inetd, while oftpd runs standalone for speed. Just comment out the ftp line with a # at the beginning, so it looks something like this:

# ftp stream  tcp nowait  root /usr/sbin/tcpd in.ftpd -l -a

Now killall -HUP inetd to restart inetd, so that it knows not to respond to connections on the FTP port. If you ftp localhost you should get a Connection refused.

Now, we're ready to move on to oftpd itself. First, the easy part. To compile and install, just unpack the tar file, cd into the resulting directory and use the One True GNU Way (./configure; make; make install). To keep everything in its appropriate, canonical place, supply the bindir argument to the configure script, so that make install will put the oftpd executable in /usr/local/sbin, which is the appropriate directory for locally built dæmons:

sh ./configure --bindir=/usr/local/sbin && make

Then su root and do:

make install

The above compile and install step, as well as the following three steps, will be handled for you if you install oftpd from an RPM or deb package, but you'll have to complete them if you're installing oftpd from source.