bbftpd is a server that supports the BBFTP protocol. This protocol has been
developed in order to speed up transfer by using multiple TCP streams between
client and server, and also to take advantage of the RFC 1323.
As one of the major problems of the FTP protocol was the unencrypted transmission
of the username and password, BBFTP uses several methods for authentication.
The first one is to generate at each new connection a RSA key pair, to send
the public key to the client who will encrypt the username and password using
this public key, and then to decrypt them with the private key. As these keys
are 1024 bits long and generated at each new connection, it will be quite
difficult to steal a password. This method requires OpenSSL to be installed
on both sides. The second connection method is based on ssh; instead
of making a connection to a running daemon, the client will remotely start the
daemon with ssh (with a command like ssh -l user remotehost bbftpd -s).
A third additionnal authenticate mode allows to use certificates to log on. This mode
is based on the Grid Security Infrastructure and requires Globus software to be installed.
The client side needs a certificate to identify itself and the daemon needs a host certificate
BBFTP protocol works in the following way :
- After the authentication procedure has ended there is what is called a control
connection between the client and the server. On that connection all control commands
- When a data transfer occurs (get or put command sent by the client), the server can
work in passive or non-passive mode:
- In passive mode (with client >= 3), the server gets all TCP ports needed by the transfer
(one per stream) and sends those ports to the client on the control connection. If the
server is built or run with a range, those ports will be chosen in this range.
- In non-passive mode, the client gets all TCP ports needed by the transfer
(one per stream) and sends those port numbers to the server on the control connection.
The server will then connect to those ports (using a defined port number if the
-f is not used) and use them to transfer data.
To meet security requirements (firewalls filters), you may want to use the passive mode with
a defined range of ephemeral ports.
The behaviour of the server is controlled by commands sent by the client (see bbftp(1)).
The server can be used in different ways :
Through inetd (and tcpwrapper if needed). In this case the line in the inetd.conf file will
look like :
bbftp stream tcp nowait root /usr/local/bin/bbftpd bbftpd [-f] [-e EphemeralPortsRange] [-l LogLevel] [-m MaxStreamNumber] [-R ProfileFile] [-u] [-c|-p]
As a standalone server. In this case the starting procedure has to contain the following line:
bbftpd -b [-f] [-e EphemeralPortsRange] [-l LogLevel] [-m MaxStreamNumber] [-w PortNumber] [-u] [-R ProfileFile] [-u] [-c|-p]
Started via ssh. In this case the remote command started by the client will look like:
bbftpd -s [-f] [-e EphemeralPortsRange] [-l LogLevel] [-m MaxStreamNumber] [-w PortNumber] [-R ProfileFile]