I am basing this on the
ckermit package in Debian. But these concepts should be broadly applicable to any system.
The Internet Kermit Server is known as IKSD. It listens on a TCP port, 1649 by default.
This is only one way to access a remote Kermit. On modern systems, those with local accounts on a remote machine are more likely to run Kermit atop ssh.
While you can set up IKSD to allow any local user to log in with PAM, the SSL story in Kermit is challenging. Since Kermit has good ssh support anyway, I’m writing this guide assuming you will be using the anonymous access support in Kermit, which lets members of the public access your Kermit server.
This page is designed to supplement, not replace, the Kermit resources. You should also refer to them:
- Columbia University’s User’s Guide to their Kermit server. Although their Kermit serve rno longer exists, it is still a useful guide to Kermit.
- Kermit Project’s general IKSD page, which has links to running the IKSD under Unix and Windows.
- Kermit Project’s Unix IKSD page
The configuration for IKSD resides in
/etc/kermit/iksd.conf. There are several kinds of settings you might consider adding. The first are tuning parameters as I describe in my Kermit page:
set receive packet-length 9000 set send packet-length 9000 set window 32 set transfer slow-start off set streaming on
You may also want to force transfers to binary mode. This definitely isn’t for everyone, but it might possibly be for you:
set transfer mode manual set file type binary
By default, Kermit will attempt to negotiate TLS. The TLS support in the client is a bit challenging when it comes to certificate verification, so I suggest just disabling TLS:
set telopt start-tls refused set telopt encryption refused set telopt authentication refused
The “ftp” account
In order to use anonymous mode, you will need to set up an account named
ftp. This is the user that kermit will change to when a user authenticates as
Running from inetd
If you want to run kermit the traditional way, from inetd.conf, the entry will look something like this (put it all on one line):
kermit stream tcp nowait root /usr/sbin/tcpd /usr/sbin/iksd -A --dbfile:/var/run/iksd.db --root:/srv/ftp --anonymous:on
Running from systemd
systemd has some additional isolation features that you can use to enhance the security of your system.
Here is one example of running it from systemd. There are many ways you can enable the isolation.
[Socket] ListenStream = 1649 Accept=yes [Install] WantedBy = sockets.target
[Unit] Description=Internet Kermit Server [Service] # Note the - to make systemd ignore the exit code ExecStart=-/usr/sbin/iksd -A --dbfile:/var/run/iksd/iksd.db --root:/srv/ftp --anonymous:on # This is the part that makes it work like inetd StandardInput=socket StandardOutput=socket DynamicUser=no User=root Group=root # /usr, /boot, /etc read-only ProtectSystem=strict ProtectHome=true NoNewPrivileges=true RuntimeDirectory=iksd ReadWritePaths=/var/run/iksd /run/iksd /var/log ReadOnlyPaths=/srv/ftp # We can't establish new network connections RestrictAddressFamilies=AF_INET AF_INET6 AF_PACKET [Install] WantedBy=multi-user.target
systemctl enable iksd.socket systemctl start iksd.socket
Additional options relating to banner files and so forth are documented on the Kermit webpages.
Links to this note
Kermit is one of those things I’m fond of that’s really hard to describe. It is:
This is a Kermit server maintained by me, John Goerzen.
What is this mysterious protocol? Who uses it and what is its story?