topic Re: Secure FTP in Operating System - HP-UX

Secure FTP

raymond lei — Wed, 14 Aug 2002 13:27:53 GMT

Hi, there:

We are using wu-ftp 2.4, and our client is considering Secure Ftp. I can see the "(Version wu-2.4(SecurID)) ready" at the ftp server login prompt. Does this mean wu-ftp support Secure ftp as well?

As I understand, secure ftp is a part of SSH and we don't use SSH currently. If we go to Secure ftp without disabling telnet, will all of this still make sense?

Appreciate for any response..

Re: Secure FTP

Shannon Petry — Wed, 14 Aug 2002 13:39:22 GMT

Secure FTP is a part of the OpenSSH project. wu_ftp is not secure, and is prone to buffer overflows, and other attacks.

Secure FTP may not be that different when it comes to the buffer overflows (just has not been used enough to be exploited), but has many features like encrypted login, that make it much more secure than standard FTP.

You can go to secure ftp, and since it runs on port 22 (unless you change it) you can maintain telnet, standard ftp, etc...

Remember that to use secure ftp, all of your customers will have to have the sftp client program to be able to connect. Also the other client requirements like key generators, etc...

Regards,
Shannon

Re: Secure FTP

Jeff Schussele — Wed, 14 Aug 2002 13:42:24 GMT

Hi Raymond,

It's my understanding that SecurID is an authentication process whereby the user enters a numeric "token" generated by a smartcard in the user's posession which is authenticated by a SecurID server.
This is entirely different than the sftp functionality of ssh which will encrypt all the traffic as well as authenticate the user.
So no, I wouldn't say this is "secure" ftp per se - it's a secure authentication capable product.

Rgds,
Jeff

Re: Secure FTP

Alan Casey — Wed, 14 Aug 2002 13:50:15 GMT

SSH is seperate to telnet, so you can disable the telnet port if you like when using ssh.

Re: Secure FTP

raymond lei — Wed, 14 Aug 2002 13:58:48 GMT

Shannon:

Thank you so much for quickly response. Does HP have the openSSH depot? If so, what is the current version. Thanks again, I will assign points later on.

Re: Secure FTP

Alan Casey — Wed, 14 Aug 2002 14:11:57 GMT

You will find it at:

www.openssh.org

http://www.openssh.org/portable.html

Alan

Re: Secure FTP

Shannon Petry — Wed, 14 Aug 2002 14:15:02 GMT

The HP porting center has the depots you need to install it for HP-UX. The web site someone else gave is the openssh site, and may or may not have good depots for HP-U (never tried theirs if they exist).
The porting center has other goodies as well, so make a bookmark!
http://hpux.cs.utah.edu

Have fun!
Shannon

Re: Secure FTP

raymond lei — Wed, 14 Aug 2002 14:50:47 GMT

The secure access(ssh&sftp) and unsecure access(telnet&ftp) of system can exist together, so it's customer's choice to pick up a way they want to use. Thanks very much for everybody's help. I will try the websites later.

Re: Secure FTP

Bill Hassell — Wed, 14 Aug 2002 15:32:10 GMT

You may want to use the package supplied by HP at software.hp.com Out of the box, it will coexist with telnet/ftp and the 'r' commands (rcp, rlogin, remsh) but these can be disabled if security is a big concern. As mentioned, network connectivity using SSH tools exclusively will mean that no one can connect using the equivalents of telnet, ftp, etc unless they have the appropriate client software. Note also that there are incompatible standards: SSH-1 and SSH-2. Some clients understand both, some do not.

So all your HP-UX (11.0 and higher) can have SSH added and they can be authenticated to talk to each other. A nice feature of SSH is the ability to preauthorize a trust relationship (user+machine) so the user no longer has to login with a password and .rhosts may (should) be removed.

Now this all sounds neat until you look at the sysadmin's responsibilities. If a user needs access to another system, the public key from the user must be generated and given to the sysadmin for installation on the new host (assuming all other methods to connect are disabled). In other words, in a truly locked-down environment, the sysadmin job just got bigger.

Before you start using SSH, get the O'Reilly book: SSH, The Secure Shell (Barrett and Silverman) and plan to spend a few evenings on the overviews.