Max Evarts, The Kermit Project
Columbia University, New York City
[ Contents ] [ WIKSD User Guide ] [ Kermit 95 Home ] [ Kermit Home ]
ABSTRACT: How to install, configure, and manage the Windows Internet Kermit Service: a standards-compliant File Transfer and Management Shell for Windows NT, 2000, and XP from the Kermit Project at Columbia University, available in free and secure versions.
As of Kermit 95 version: 2.0
This file last updated:
4 June 2002
(New York City time)
IF YOU ARE READING A PLAIN-TEXT version of this document, it is a plain-text dump of a Web page. You can visit the original (and possibly more up-to-date) Web page here:
http://www.columbia.edu/kermit/wiksdadmin.html
This document applies to Windows NT and its descendents, which at this writing include Windows 2000 and Windows XP. When the term "Windows", "Windows NT", or "Windows NT/2000" is used in this document it refers to Windows NT, 2000, and XP, but not to Windows 95, 98, or Millenium Edition (which are sometimes referred to collectively as Windows 9x or Win9x). The Internet Kermit Service should NOT be installed on Windows 9x because (a) Windows 9x is insecure, and (b) it does not support background processes or "services". Any references to Windows 9x in this document are for completeness only and should not be construed as encouragement for running an unattended Internet Kermit Service on those operating systems.
Comments, suggestions, questions welcome. Send them by email to: kermit-support@columbia.edu.
1. WHAT IS IKSD? 2. INSTALLATION 3. IKSD USERS 4. RUNTIME CONFIGURATION OPTIONS 5. ACCESS TO SERVICES 6. MONITORING AND CONTROL 7. OPEN ISSUES 8. TESTING
The Microsoft Windows operating system was not originally designed or intended to allow remote access by ordinary terminal programs (such as Telnet clients). Yet users understandably wanted this type of open access ever since Windows was first announced. As soon as Kermit 95 announced in October 1995 (just after Windows 95 itself), users began demanding support for incoming connections. The result was "Host Mode", which in effect built a user-ID based authentication and file system onto a Windows 95 foundation that didn't have such a thing.
Windows NT (which actually predates Windows 95 by a couple years, but did become popular until much later) solves many of the same problems addressed by K95 Host Mode: a file system supporting authenticated users with a full range of access controls. Of course Windows NT is only the first in a series of NT-based operating systems, now including Windows 2000 and Windows XP. Kermit 95 Host Mode can be used on Windows NT and its descendents, but:
Enter Windows IKSD.
IKSD is the Internet Kermit Service Daemon, a software program that offers a secure and flexible file-transfer and management service on the Internet, based on Telnet and Kermit protocols, that can be accessed from anywhere on the Internet, using the procedures specified in Internet RFCs 2839 and 2840, and supporting various IETF-standard security methods that can be negotiated with the client.
WIKSD is a version of IKSD for Windows NT, 2000, or XP, based on Kermit 95. It is not a "PcAnywhere" substitute (graphical desktop replicator), nor does it give you remote access to the "DOS" shell (more about this in the WIKSD User Guide) -- it is more like a high-function FTP server that gives you the options of interacting with it directly and of scripting its operation. WIKSD comes in two forms:
Windows Internet Kermit Service allows both anonymous and authenticated text-mode access. As the PC owner, you can allow or disable anonymous access and you can also restrict which users may and may not log in to your PC with IKSD. Anonymous users have restricted access rights; for example, they are not allowed to delete, overwrite, or modify existing files. Authenticated users have whatever rights are associated with their Windows NT identities, but both classes of users can, optionally, be restricted to a particular directory or directory tree.
IKSD can be useful in a variety of scenarios, such as:
Once authenticated, IKSD users can manage and transfer files, as they might do with an FTP server:
IKSD can be accessed by any Telnet client that allows specification of TCP socket 1649. If you also want to transfer files, the Telnet client must also support the Kermit file-transfer protocol (when IKSD is Kermit 95 rather than the free IKSDNT version, other protocols such as Zmodem are also supported). The clients that work best are:
Other clients might or might not support:
A Unix-based IKSD is available for public access at:
kermit.columbia.edu, port 1649
IKSD is a Kermit program configured to run only as an Internet service. It includes the full command and scripting language. If you are unfamiliar with the Kermit command language, it is documented in:
Frank da Cruz and Christine M. Gianone, Using C-Kermit, Second Edition, Digital Press / Butterworth-Heinemann, Woburn, MA, 1997, 622 pages, ISBN 1-55558-164-1.
Potential WIKSD administrators might also find it helpful to consult the following pages at the Kermit website:
2.1. InstallShield Installation 2.2. Manual Installation
Any material in this section or following sections relating to configuration of Windows NT users and file system settings to accomodate IKSD should be viewed as suggestions only. You might already have a scheme of users, groups and file system permissions that can be used or adapted to accomodate IKSD. In any case, installation of IKSD as described here should have little impact on your overall NT configuration. In concept, it is about the same as installing an FTP server.
The Internet Kermit Service for Microsoft Windows operating systems is provided as a standalone program (IKSDNT.EXE) and as a part of the Kermit 95 product (in which case K95.EXE acts as IKSD). The IKSDNT package contains the following files:
Kermit 95 1.1.21 and later include Internet Kermit Server capability and do not require the use of IKSDNT.EXE. IKSDSVC.EXE executes K95.EXE when IKSDNT.EXE is unavailable. Thus IKSDNT.EXE need be installed or used only on PCs where Kermit 95 is not installed.
WIKSD is normally installed as a Windows NT Service (background process), meaning it is started automatically every time Windows itself starts, and therefore is available to clients whenever Windows is running on your PC and your PC is on the Internet. Thus, conceptually, it is like an FTP server. Users can access it from outside, but you can't see it on your screen, unless you make a localhost connection to it (e.g. "iksd localhost" at the K-95> prompt).
It is strongly recommended that IKSD be installed only on Windows NT, 2000, or XP systems with all-NTFS file systems. FAT file systems do not support any of the file access controls you need when your PC disk is accessed by multiple remote users. To convert a FAT file system to NFTS, use the CONVERT command in the Command Window (type "help convert" in the Command Window for instructions).
You can install WIKSD in the normal, easy Windows way (from the InstallShield package) or for greater control over the configuration, you can install it manually.
Normally you would install Internet Kermit Service on your Windows system the same way you install any other program, using the normal Windows installation procedure. WIKSD comes in an InstallShield (IS) package, a single .EXE file that you run to install the application. The IS procedure asks a few simple questions and then installs WIKSD as a Windows NT service and starts it. So as soon as you complete the installation, you can make connections to WIKSD.
You must be a member of the Administrator group to install WIKSD. If you are not, installation of the WIKSD service fails.
The IS procedure for WIKSD (or the WIKSD component of the IS procedure for Kermit 95) follows these steps:
The WIKSD-related questions are used to create the IKSD.KSC file in the top-level Kermit 95 directory, which every instance of WIKSD reads and executes upon startup and before accepting a login. You can change your IKSD preferences or configuration at any time by editing this file. See Section 4.1 for details.
You can monitor WIKSD activity in the Event Viewer Application Log (Control Panel --> Administrative Tools --> Event Viewer --> Application Log).
To uninstall WIKSD, use Add/Remove Programs in the Control Panel. But note that when uninstalling WIKSD (or Kermit 95 itself) certain files might not be removed:
Plus any Kerberos configuration files that might have been created.
2.2.1. Installing IKSD as a Service 2.2.2. Installing IKSD as a User Process 2.2.3. Windows NT/2000/XP Folder Permissions 2.2.4. SRP and Windows NT/2000/XP 2.2.5. SRP and Windows 95/98/ME
Manual installation of WIKSD is possible only if you installed Kermit 95 without choosing to to install WIKSD, or if you uninstalled WIKSD after first installing it.
To install the Internet Kermit Service on any Microsoft Windows Operating System:
kermit 1649/tcp
On Windows NT/2000/XP, edit the file:
%SystemRoot%\SYSTEM32\DRIVERS\ETC\SERVICES
(On Windows 95/98/ME, the file is C:\WINDOWS\SERVICES.)
Also see the following Microsoft Knowledge Base articles:
Installation as an NT Service enables users to access the Internet Kermit Service at any time and independent of the user logged into the system. To install WIKSD as a service you must be logged in with an account that is a member of the "Administrators" group.
iksdsvc.exe -i
This installs WIKSD as a Service which starts automatically every time Windows starts. WIKSD is started using the "LocalSystem" account. The service name is "IKSD".
Use Control Panel --> Administrative Tools --> Services to change these settings. If an account other than the "LocalSystem" account is to be used for starting WIKSD, the account must have the "Act as part of the Operating System" privilege. Use of the LocalSystem account restricts the access of WIKSD to the local machine. All attempts at network access are denied.
(This section applies only to Windows 9x/ME.)
Start IKSD "by hand" in the Command Window simply by typing "iksd" at the prompt in the K95 directory.
If you wish to have WIKSD autostart each time you login to Windows:
Now the Internet Kermit Service will start automatically each time you login to Windows.
Also see:
By default, Windows NT leaves the file system wide open. These operating systems rely on applications like drive and folder sharing or IIS (Internet Information Server) to handle keeping users restricted to certain directories and directory trees. To some extent you can also use IKSD to limit access in the same way using the IKSD configuration file (see the SET ROOT command in Section 4.1 below). But to fully secure your system and to implement special permissions schemes, like the incoming folder for the anonymous accunt, you will need to make some adjustments to the default folder permissions. (This assumes that you are using NTFS drives; if you are not or you are running 95/98/ME, then you can use only IKSD mechanisms for restricting users -- see SET ROOT and the discussion of the ON_LOGIN macro in Section 4.)
The following procedure applies to Window 2000 (and most likely XP); in Windows NT 3 and 4 the concepts and permissions are the same, but the tools are not as well developed.
After creating a folder for incoming files in the anonymous user's directory tree, bring up the Security page under the Properties for the new folder. Then:
Now set the exact permissions required for the incoming directory:
Check the boxes as follows:
| Permission | Allow | Deny |
|---|---|---|
| Traverse Folder / Execute File | [x] | [ ] |
| List Folder / Read Data | [ ] | [x] |
| Read Attributes | [ ] | [x] |
| Read Extended Attributes | [ ] | [x] |
| Create Files / Write Data | [x] | [ ] |
| Create Folders / Append Data | [ ] | [x] |
| Write Attributes | [ ] | [x] |
| Write Extended Attributes | [ ] | [x] |
| Delete Subfolders and Files | [ ] | [x] |
| Delete | [ ] | [x] |
| Read Permissions | [ ] | [x] |
| Change Permissions | [ ] | [x] |
| Take Ownership | [ ] | [x] |
This gives anonymous users the ability to upload files, but not to see them, read them, copy them, send them, delete them, rename them, or overwrite them, but leaves you full rights over the uploaded files.
NOTE: Since anonymous users can't delete or overwrite files in the Incoming directory, it won't be possible for them to upload a file when a file of the same name is already there. In this case they can use an as-name, or else tell IKSD to "set file collision rename", meaning to give a new name to the incoming file.
On Windows NT/2000/SP, Secure Remote Password (SRP) can be used in with the local user accounts by installing a DLL (SRPFILTR.DLL) into the Windows System directory and inserting a record into the Registry:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ Notification Packages (value of type REG_MULTI_SZ)
A value of type REG_MULTI_SZ allows multiple strings to be inserted at the same time. Do not delete any existing strings; just add the string "srpfiltr" to the list. Once this is done:
Now whenever a password is changed on the local machine an SRP password hash is also created, allowing SRP to be used as an authentication method with IKSD.
(This section is informational only. WIKSD is not supported on Windows 95, 98, or ME.)
On Windows ME or 98 (and 95 with Internet Explorer 4.0 or higher installed) SRP can be used in conjunction with the local user accounts by installing a DLL (SRPW95PP.DLL) into the Windows System directory and inserting a new key block into the Registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\PwdProvider\SRP
In this key, the following values must be set:
ProviderPath=srpw95pp.dll Description=Secure Remote Password ChangePassword=PPChangePassword GetPasswordStatus=PPGetPasswordStatus
Once this is done:
To change the SRP password to be the same as the Windows logon password:
To change the SRP password without changing the Windows logon password:
3.1. The Anonymous User 3.2. The "Regular" User
Users of IKSD map to Windows users. As we know, Windows 95/98/ME does not offer much control over users and how they can interact with the system. Fortunately, many of these shortcomings can be overcome with the configuration features of IKSD (see Section 4). Windows NT/2000/XP, however, allows detailed control over users' permissions, home directories, and so on.
Typically, one might have at least three classes of users:
Althought the default GUEST user on NT/2000/XP systems is a possible candidate for mapping to the IKSD ANONYMOUS user, it might be better to create a new user for this purpose. Since the IKSD ANONYMOUS user must be so carefully restricted to a specific part of the file system, making the necessary modifications to the GUEST user's permissions might have side effects you don't want. If this a concern to you, create a new user, make sure that it is not a member of the EVERYONE group, and use the SET IKS ANONYMOUS ACCOUNT command to tell IKSD to use this account. Give this user file permissions only on a folder that you designate for anonymous users. You can then "jail" the user to this folder with SET IKS ANONYMOUS ROOT command, which takes the place of operating-system-level file security for Windows 9x.
In NT/2000/XP, IKSD users map to existing Windows users in a Domain that the IKSD server is a part of. IKSD prompts for the user's ID (or Domain\ID) and the user's password for that domain. (See the SET IKS DEFAULT-DOMAIN command.) Once the user is logged in, they have the same privileges and permissions they have if they had logged in to the machine locally. If the NT user had a home directory defined, this is where they start. (See How the user's home directory is detrmined below.) One would use NT's control over file permissions to determine where the user would have rights to read, list, write, etc...
If user-level access is activated in Windows 95/98/ME, then the defined user names can be used to log in, every user has full read/write access to all the files on the PC.
4.1. The IKSD Configuration File 4.2. The K95 Initialization File 4.3. System Logging 4.4. The Transfer Log File
The IKSD can be configured at runtime by a configuration file and an initialization file.
And in Windows 9x/ME only, when using IKSD.EXE to start IKSD as a user process, you can include the following command-line parameter:
When Kermit 95 is started as IKSD (or IKSDNT is started), it obtains its configuration in the following sequence:
The ON_LOGIN macro lets you enforce your per-user policies, limited only by your imagination. Here's a suggestion:
define ON_LOGIN {
switch \v(user) {
:olga
echo Hi Olga
set root c:/olga
break
:olaf
echo Hello Olaf
break
:default
echo Welcome \fcapitalize(\v(user))
}
This gives a custom greeting to Olga and Olaf and a standard greeting to everyone else. It also uses the SET ROOT command to restrict Olga to her own directory tree:
Another command of particular interest in this regard is DISABLE, with which you can prevent certain users from doing certain kinds of things, like uploading files, deleting files, creating directories, etc.
The IKSD configuration file can contain any Kermit commands, functions or built-in variables but:
The following commands can be executed only in the IKSD Configuration file or in the ON_LOGIN macro. These commands are ignored if they are executed after the user is logged in.
On Windows NT, 2000, and XP, anonymous users have the same access rights as the ANONYMOUS account. In Windows 95/98/ME, anonymous users, just like any other users, have full access rights to your entire PC, since Windows 9x has no file-system security. For this reason, if you are allowing anonymous logins, be sure to also specify a SET IKS ANONYMOUS ROOT directory to restrict anonymous users to.
ANONYMOUS user permissions may be restricted via the specification of DISABLE commands in the ANONYMOUS INITFILE. ANONYMOUS users are not permitted to execute an ENABLE command. ANONYMOUS users are also prevented from SHOWing sensitive data about the operating system or the IKS configuration.
SET IKS CDFILE READ.ME
You can also give a list of up to 8 filenames by (a) enclosing each filename in braces, and (b) enclosing the entire list in braces. Example:
set iks cdfile {{./.readme}{READ.ME}{aaareadme.txt}{README}{read-this-first}}
When a list is given, it is searched from left to right and the first file found is displayed. The default list for UNIX is:
SET IKS CDFILE {{./.readme}{README.TXT}{READ.ME}}
\v(exedir)iksd.db
The IKSD configuration file can define three special macros which cannot altered or SHOWed by logged in users: ON_LOGIN, ON_LOGOUT, ON_EXIT. These macros are used to define operations the Administrator wants to have executed at special moments during the session lifetime:
For anonymous users, the home directory is as specified in the ANONYMOUS ACCOUNT's profile; or the directory specified by the SET IKS ANONYMOUS ROOT command.
http://www.kermit-project.org/security.html http://www.kermit-project.org/telnet.html
for details on how Telnet and Authentication policies can be set.
Examples:
SET SYSLOG COMMANDSAs above, but with all user commands going to the Event Log (Section 4.3).
SET IKS ANONYMOUS LOGINS ON SET IKS CDFILE READ.MEStarts the IKSD with anonymous access enabled and changes the name of CD message file from the default list to READ.ME.
SET IKS ANONYMOUS LOGINS ON SET IKS ANONYMOUS ACCOUNT KERMIT\\GUEST SET IKS CDFILE README.TXT SET IKS SERVER-ONLY ONStarts the IKSD with anonymous access enabled; sets the account to use for anonymous logins; and changes the name of CD message file from the default list to README.TXT. Note that the backslash separating the Domain (Kermit) from the Username (Guest) must be doubled, since this is a Kermit command.
SET IKS ANONYMOUS LOGINS OFF SET SYSLOG COMMANDS SET AUTH TLS RSA-CERT-FIL D:/OPENSSL/CERTS/TELNETD-RSA.PEM SET AUTH TLS RSA-KEY-FIL D:/OPENSSL/CERTS/TELNETD-RSA.PEM SET AUTH TLS DSA-CERT-FIL D:/OPENSSL/CERTS/TELNETD-DSA.PEM SET AUTH TLS DSA-KEY-FIL D:/OPENSSL/CERTS/TELNETD-DSA.PEM SET AUTH TLS CIPHER ALL:+DSS:+RSA:ADH SET AUTH TLS VERIFY PEER SET TELOPT START-TLS REQUIRED SET TELOPT AUTH REQUIRED SET TELOPT KERMIT REQUIRED REQUIREDStarts the IKSD with anonymous access forbidden; logs all commands; configures the server's X.509 certificates for TLS; requires the use of TELNET START-TLS for privacy and integrity protections; requires the use of an authentication method such as NTLM, SRP, ... for end user identification; and requires the use of TELNET KERMIT negotiations.
When a real user logs in to the IKSD, the Kermit-95 initialization file, K95.INI, is executed from the user's Home Directory as specified in the user's profile. The initialization file in turn executes the user's customization file, K95CUSTOM.INI. If the global (or user's) environment contains a K95.INI entry the specified initialization file is executed instead; this may, in turn, execute a customization file out of the user's home directory. You may override Kermit-95's automatic selection of initialization with the SET IKS NO-INIT and SET IKS INITFILE commands.
The initialization and customization files can contain any Kermit commands at all. Of particular interest in this context:
IKSDNT.EXE is missing numerous commands that are found in the regular K95.EXE program. Any such commands found in the initialization or customization files will cause error messages. To avoid the messages, either remove commands, specify a different initialization file with the appropriate SET IKS command, or prefix each such command with IF NOT IKSD.
For anonymous users, the default initialization file, if any, is K95.INI in the home directory for the ANONYMOUS ACCOUNT or as specified with the SET IKS ANONYMOUS INITFILE command. It is extremely important that the ANONYMOUS INITFILE file exist and not provide write permission to the ANONYMOUS ACCOUNT. Otherwise, guests could alter the contents of the file.
The system administrator may include commands in this file to disable selected services for anonymous users, e.g.:
disable delete ; Don't let anonymous users delete files (***) disable send ; Don't let anonymous users send files
Of course, any Kermit commands at all may be included: settings, macro definitions, etc (also see Section 7.5).
When the sysadmin specifies the initialization file, this allows a high degree of fine-grained control over who is allowed access to what commands and resources, using standard Kermit-95 commands, functions, and variables. The following are particularly useful:
"rejected" - Rejected or otherwise not authenticated "unknown" - Anonymous connection "other" - We know him, but not his name "user" - We know his name "valid" - We know him, and he needs no password
"NULL" - No authentication "KERBEROS_V4" - Kerberos 4 "KERBEROS_V5" - Kerberos 5 "SRP" - Secure Remote Password "NTLM" - NT Lan Manager "X_509_CERTIFICATE" - X.509 certificate
So, for example, if the sysadmin wishes to prevent user "olga" from using the IKS on Mondays, the initialization file could contain a command like:
if equal \v(user) olga -
if equal \v(nday) 1 -
exit 1 Sorry Olga - please come back another day
Or suppose it is desirable to block access from all xyzcorp.com hosts between 9:00am and noon:
if match \v(line) *.xyzcorp.com -
if lgt \v(time) 09:00:00 -
if llt \v(time) 12:00:00 -
exit 1 Sorry - Please come back after noon
Or suppose a certain user is to be allowed to GET files from the server, but not SEND, PRINT, or MAIL them:
xif equal \v(user) ivan {
disable send
disable print
disable mail
disable enable
}
System logging in Windows NT is performed via the Administrative Tools Event Log. Use the Event Viewer to examine IKSD events.
All IKSD entries (except debugging, see below) appear in the event log, with a tag of "IKSD" and the process ID (pid) of the IKSD process. The system logging levels are:
0 = no logging 1 = Login/out, failed login attempts, failed Kerberos (etc) authentication 2 = Dialing out (does not apply to IKSD) 3 = Making any kinds of connections (does not apply to IKSD) 4 = Protocol Operations 5 = Creating / receiving / deleting / renaming / copying files 6 = Sending / typing / reading / transmitting files 7 = All top-level commands and all server commands sent to iksd 8 = Commands executed from macros and command files 9 = Debug
Each level includes all the levels beneath it (except 0 is not included if the logging level is greater than 0). The default logging level is 6. If you specify a number higher than the the maximum, it is the same as specifying the maximum.
WARNING: Debug level produces VOLUMINOUS amounts of information -- it is equivalent to (in fact, it is) Kermit 95's debug log. Furthermore, there is a good possibility it will contain sensitive information such as clear-text passwords.
The transfer log is disabled by default; it must be enabled on the command line (Section 5.1).
The transfer log has the same format as the Unix wu-ftpd log, and so all the same scripts can be used to process it, collect statistics, etc.
The Transfer log can also be used in regular user-mode Kermit 95 sessions.
The first field is fixed-length and contains spaces; subsequent fields are variable length, contain no spaces, and are separated by one or more spaces. The fields are:
5.1. Automatic Settings 5.2. Authentication and Authorization 5.3. The DISABLE Command 5.4. Shell Access 5.5. Anonymous Users 5.6. Management Information
The IKSD behaves at runtime just like the regular Kermit-95 program with the differences noted in this section and in Section 7.
When Kermit-95 is started as an Internet Kermit Service, the following settings occur automatically:
Items d-f can be overridden in the IKSD configuration file.
TO DO: Describe details of authentication via X.509 certificates, Kerberos, SRP, and NTLM and how that differs from authorization via the issuance of a userid and password.
The IKSD command prompt will not appear, and no commands may be given, before the user is authorized (and perhaps, authenticated).
When the IKSD has been started without the SET IKS SERVER-ONLY ON command in the IKSD Configuration file, it issues a Username: prompt. The user may type a username at the prompt, in which case a Password: is issued, and the user must enter a password. Three login attempts are allowed, with a pause enforced between each one. If all three fail, the connection is closed.
The user may also authorize from the client by sending a REMOTE LOGIN command (again, only 3 tries are allowed), or by Telnet Authentication negotiations. Prior to authorization, the IKSD will respond to only the following client commands:
REMOTE LOGIN REMOTE LOGOUT REMOTE HELP REMOTE EXIT BYE
Once authorized, the user may not re-authorize or change identities.
The connection persists until it is broken in any of the following ways:
The connection is also closed if the user exits from the client, but only if it was an end-to-end Telnet connection. There can be no guarantee that exiting from a serial communication program will close and hang up the serial connection.
In the IKSD, the DISABLE command applies not only to client/server functions, but also to the corresponding commands when given at the prompt. For example, DISABLE DELETE disables not only REMOTE DELETE commands given from the client, but also DELETE commands given at the IKSD's command prompt, as well as implicit forms of file deletion, such as when the target of a COPY command is an existing file.
The DISABLE ENABLE command is irreversible; once this command is given, the ENABLE command can not be re-enabled, and therefore no other disabled commands can be enabled either. ENABLE is DISABLEd automatically for anonymous users, so any DISABLE commands in the anonymous-user initialization file (Section 5.4) are also irreversible.
All forms of system and shell access are disabled in WIKSD. Thus the user can not execute REMOTE HOST commands from the client, nor access the shell from the IKSD command prompt via shell escapes (!), the RUN or PUSH command, or by specifying pipes or filters in file-transfer commands, or by pipe specifications in REMOTE commands, or in any other way.
Anonymous logins are disabled by default, but can be enabled with the SET IKS ANONYMOUS LOGIN ON command in the IKSD Configuration file.
The account specified by SET IKS ANONYMOUS ACCOUNT is used on Windows NT/2000/XP to provide anonymous access. There is no ANONYMOUS ACCOUNT in Windows 95/98/ME. For safety in Windows 9x, an anonymous root directory should always be specified with SET IKS ANONYMOUS ROOT. Otherwise anonymous users will have (at least) read access to your entire file system.
In addition to the FTP-like restrictions, certain Kermit services are always denied to anonymous users. These include:
The latter three provisions mean that anonymous users can not delete, overwrite, rename, or alter any existing files in any way, whether by file transfer or with the DELETE or RENAME command.
Note that IKSD, like FTPD, does not allow directory creation by anonymous users, even when file/directory permissions would otherwise allow it. To change this, add:
enable mkdir ; Enable directory creation
to the IKSD Configuration file or the ON_LOGIN macro. Similarly for directory removal:
enable rmdir ; Enable directory removal
Of course directories can be removed only if (a) they are empty, and (b) their permissions allow it.
The command-line argument vector, normally accessible in the \&@[] array, the top-level \%0..9 variables, or by other means, is inaccessible to IKSD users. Thus IKSD clients can not discover the IKSD startup path or options, the logfile pathnames or directories, logging level, etc.
6.1. The Control Panel 6.2. The Event Log 6.3. The Task Manager 6.4. IKSDPY
As with any Internet service (e.g. FTP, Telnet), every IKSD session has its own IKSD server instance. Thus at any time 0, 1, 2, or more copies of IKSD may be running on your PC. You can monitor and control them in various ways, described in this section.
Control Panel --> Administrative Tools --> Services. This lets you stop, pause, resume, or start Internet Kermit Service (IKSD). Note: stopping the service does not stop open sessions; it merely blocks creation of new sessions.
You can monitor IKSD sessions with the Event Log:
Control Panel --> Administrative Tools --> Event Viewer --> Applications
IKSD entries have IKSD in the Source column. The types of entries that appear in the log depend on your SET SYSLOG selection. To see the detail for an entry, double click on it. The text entered into the log by IKSD is at the end of the Description box (despite the fact the that description begins with "The description for Event ID (0) uin Source (IKSD) cannot be found").
The Event Viewer does not update the screen as new events occur; you have to hit the Refresh button.
You can watch IKSD (as either IKSDNT or K95) in the task manager's Processes tab, and system performance in the Performance tab. Unfortunately, however, there is no way to kill an IKSD instance because it is owned by System, and not even the Administrator has the authority to kill System-owned processes.
A realtime text-mode display of IKSD activity is available as a Kermit script called IKSDPY.KSC, to be executed by Kermit 95. You can find a copy of it in Kermit 95's SCRIPTS subdirectory. To use it, start a copy of K95.EXE and tell it to "take scripts/iksdpy.ksc". Or (if in your Kermit 95 installation, you chose to associate ".KSC" files with Kermit 95) you can simply click on the IKSDPY.KSC file or any shortcut to it.
The main IKSDPY display shows the active sessions. If you press a digit, you can view the details for a particular session -- user, pid, current directory, state, last command, etc.
In any screen, you can press "h" to get help for that screen, which tells you which keys you can press to move to other screens.
7.1. Connection Establishment 7.2. Shell Access 7.3. Non-Kermit Protocols 7.4. Additional Administrative Controls 7.5. Known Bugs
Several services that are normally provided by Kermit-95 are not available when it is an Internet Kermit Service Daemon.
If a real user has access to the IKSD command prompt, why not allow her to "set host" or "set line" from there to another place? Obviously this would be a security risk if allowed for anonymous users. For authenticated users, it should be OK, but is not currently possible for Telnet connections since the IKSD is already a Telnet server on the incoming connection, and is not designed to conduct two separate Telnet sessions simultaneously. It might be possible to allow the user to make a dialout connection, but some coding and testing would be needed should this prove desirable, and even then it is not clear that the PC owner would be willing to pay the telephone charges.
Shell access is forbidden to anonymous users for obvious reasons. From a security standpoint, it could be allowed for authenticated users.
Since Xmodem, Ymodem, and Zmodem are built into Kermit 95, when it is used as an IKSD these protocols are available for use, e.g. with "set protocol zmodem". Non-Kermit protocols are not available with the standalone IKSDNT.EXE program.
Certain options available in wu-ftpd are not implemented in iksd:
These or other controls can be added if there is sufficient reason or demand.
In case you want to test IKSD on a port other than 1649, be aware that IKS-aware Kermit clients (such as Kermit-95 and C-Kermit) will not automatically initiate Telnet negotiations with it, since it is not on a Telnet port (i.e. 23 or 1649). To get correct operation you'll need to force the client to negotiate, e.g.:
telnet hostname 3000 set host hostname 3000 /telnet
[ Top ] [ Contents ] [ Kermit 95 Home ] [ Kermit Home ]