Hola, Adjunto envio un fichero que encontré explicando el parche proftpd-tls. Espero que sirva de ayuda, Pedro -- Pedro Martinez Juliá \ yoros@terra.es )| yoros@wanadoo.es / http://yoros.cjb.net Socio HispaLinux #311 Usuario Linux #275438 - http://counter.li.org GnuPG publi c information: pub 1024D/74F1D3AC Key fingerprint = 8431 7B47 D2B4 5A46 5F8E 534F 588B E285 74F1 D3AC
TLS patch for proftpd-1.2.0 together with OpenSSL >= 0.9.4, based on the "draft-murray-auth-ftp-ssl-05.txt" IETF draft. Copyright (c) 2000 Peter 'Luna' Runestig <peter@runestig.com> The verify_crl() function by Ralf S. Engelschall <rse@engelschall.com> This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) Patching: $ tar xzf proftpd-1.2.0.tar.gz $ cd proftpd-1.2.0 $ patch -p1 < ../proftpd-tls.current.patch Or just use the prepatched tarball. Configuring: $ ./configure [--with-openssl-dir=DIR] Building: $ make Installation: $ make install By default, proftpd looks for a single configuration file as /usr/local/etc/proftpd.conf. Copy sample-configurations/basic.conf to /usr/local/etc/proftpd.conf and modify to suit your needs. More advanced configuration examples are also included. The proftpd server tries to use these TLS related files by default: ftpd-rsa.pem RSA certificate, may include private key ftpd-rsa-key.pem RSA private key ftpd-dsa.pem DSA certificate, may include private key ftpd-dsa-key.pem DSA private key ftpd-crl.pem Certificate Revokation List ftpd-dhparam.pem DH Parameters (a set of DH params is compiled in) These files is searched for in the following directorys (in this order): * Current working directory of the process. * Specified by the `X509_get_default_cert_dir_env()` environment variable (usually $SSL_CERT_DIR). * `X509_get_default_cert_dir()`, usually (openssl-dir)/certs. * `X509_get_default_private_dir()`, usually (openssl-dir/private. Default CRL directory for the proftpd server is (openssl-dir)/crl. If you don't have any "proper" certificate files (signed by some CA), you might create a self-signed one using the ``openssl'' command: $ openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem This creates a cert which is valid 365 days, you might want to adjust that. X509 client authentication -------------------------- Support for user authentication is possible through the custom function int x509_to_user(X509 *peer_cert, char *userid, int len) in the file src/x509_to_user.c, and by a .tlslogin file in the user's home directory. o tls_userid_from_client_cert() is called and returns a user id or NULL. tls_userid_from_client_cert() calls the site specific function x509_to_user(). o If the user name, set by the USER command, equals the user id mapped from the client cert, the user is logged right in. o If "USER" differ from the user id mapped from the client cert the function tls_is_user_valid() is called to check "USER"'s ~/.tlslogin file. That file, if it exist, contains one or more X509 certificates in PEM for- mat. If the client cert is present in the file, the user is logged right in. o If tls_userid_from_client_cert() can't map a user id from the client cert, tls_is_user_valid() is called to check "USER"'s ~/.tlslogin file. If the client cert is present in the file, the user is logged right in. Hash symlinks for certs: ln -s cert.pem `openssl x509 -hash -noout -in cert.pem`.0 Hash symlinks for CRLs: ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r0 Default cipher list is "ALL:!EXP". How to put together a 'cipher list string': Key Exchange Algorithms: "kRSA" RSA key exchange "kDHr" Diffie-Hellman key exchange (key from RSA cert) "kDHd" Diffie-Hellman key exchange (key from DSA cert) "kEDH' Ephemeral Diffie-Hellman key exchange (temporary key) Authentication Algorithm: "aNULL" No authentication "aRSA" RSA authentication "aDSS" DSS authentication "aDH" Diffie-Hellman authentication Cipher Encoding Algorithm: "eNULL" No encodiing "DES" DES encoding "3DES" Triple DES encoding "RC4" RC4 encoding "RC2" RC2 encoding "IDEA" IDEA encoding MAC Digest Algorithm: "MD5" MD5 hash function "SHA1" SHA1 hash function "SHA" SHA hash function (should not be used) Aliases: "ALL" all ciphers "SSLv2" all SSL version 2.0 ciphers (should not be used) "SSLv3" all SSL version 3.0 ciphers "EXP" all export ciphers (40-bit) "EXPORT56" all export ciphers (56-bit) "LOW" all low strength ciphers (no export) "MEDIUM" all ciphers with 128-bit encryption "HIGH" all ciphers using greater than 128-bit encryption "RSA" all ciphers using RSA key exchange "DH" all ciphers using Diffie-Hellman key exchange "EDH" all ciphers using Ephemeral Diffie-Hellman key exchange "ADH" all ciphers using Anonymous Diffie-Hellman key exchange "DSS" all ciphers using DSS authentication "NULL" all ciphers using no encryption Each item in the list may include a prefix modifier: "+" move cipher(s) to the current location in the list "-" remove cipher(s) from the list (may be added again by a subsequent list entry) "!" kill cipher from the list (it may not be added again by a subsequent list entry) If no modifier is specified the entry is added to the list at the current position. "+" may also be used to combine tags to specify entries such as "RSA+RC4" describes all ciphers that use both RSA and RC4. For example, all available ciphers not including ADH key exchange: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP All algorithms including ADH and export but excluding patented algorithms: HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA The OpenSSL command openssl ciphers -v <list of ciphers> may be used to list all of the ciphers and the order described by a specific <list of ciphers>.
Attachment:
pgpAsmKmn6mUs.pgp
Description: PGP signature