This page will describe how to run an Internet Kermit server, like the quux.org Kermit Server that was featured in my article Try the Last Internet Kermit Server.
I am basing this on the ckermit package in Debian. But these concepts should be broadly applicable to any system.
The Internet Kermit Server is known as IKSD. It listens on a TCP port, 1649 by default.
This is only one way to access a remote Kermit. On modern systems, those with local accounts on a remote machine are more likely to run Kermit atop ssh.
While you can set up IKSD to allow any local user to log in with PAM, the SSL story in Kermit is challenging. Since Kermit has good ssh support anyway, I’m writing this guide assuming you will be using the anonymous access support in Kermit, which lets members of the public access your Kermit server.
This page is designed to supplement, not replace, the Kermit resources. You should also refer to them:
- Columbia University’s User’s Guide to their Kermit server. Although their Kermit serve rno longer exists, it is still a useful guide to Kermit.
- Kermit Project’s general IKSD page, which has links to running the IKSD under Unix and Windows.
- Kermit Project’s Unix IKSD page
Configuration
The configuration for IKSD resides in /etc/kermit/iksd.conf. There are several kinds of settings you might consider adding. The first are tuning parameters as I describe in my Kermit page:
set receive packet-length 9000
set send packet-length 9000
set window 32
set transfer slow-start off
set streaming on
You may also want to force transfers to binary mode. This definitely isn’t for everyone, but it might possibly be for you:
set transfer mode manual
set file type binary
By default, Kermit will attempt to negotiate TLS. The TLS support in the client is a bit challenging when it comes to certificate verification, so I suggest just disabling TLS:
set telopt start-tls refused
set telopt encryption refused
set telopt authentication refused
The “ftp” account
In order to use anonymous mode, you will need to set up an account named ftp. This is the user that kermit will change to when a user authenticates as anonymous or ftp.
Running from inetd
If you want to run kermit the traditional way, from inetd.conf, the entry will look something like this (put it all on one line):
kermit stream tcp nowait root /usr/sbin/tcpd /usr/sbin/iksd -A --dbfile:/var/run/iksd.db
--root:/srv/ftp --anonymous:on
Running from systemd
systemd has some additional isolation features that you can use to enhance the security of your system.
Here is one example of running it from systemd. There are many ways you can enable the isolation.
First, create /etc/systemd/system/iksd.socket:
[Socket]
ListenStream = 1649
Accept=yes
[Install]
WantedBy = sockets.target
Now, /etc/systemd/system/iksd@.service:
[Unit]
Description=Internet Kermit Server
[Service]
# Note the - to make systemd ignore the exit code
ExecStart=-/usr/sbin/iksd -A --dbfile:/var/run/iksd/iksd.db --root:/srv/ftp --anonymous:on
# This is the part that makes it work like inetd
StandardInput=socket
StandardOutput=socket
DynamicUser=no
User=root
Group=root
# /usr, /boot, /etc read-only
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
RuntimeDirectory=iksd
ReadWritePaths=/var/run/iksd /run/iksd /var/log
ReadOnlyPaths=/srv/ftp
# We can't establish new network connections
RestrictAddressFamilies=AF_INET AF_INET6 AF_PACKET
[Install]
WantedBy=multi-user.target
Then:
systemctl enable iksd.socket
systemctl start iksd.socket
Further reading
Additional options relating to banner files and so forth are documented on the Kermit webpages.
Links to this note
What is this mysterious protocol? Who uses it and what is its story?
This is a Kermit server maintained by me, John Goerzen.
Kermit is one of those things I’m fond of that’s really hard to describe. It is: