topic Re: Secure FTP on VMS in Operating System - OpenVMS

Secure FTP on VMS

robert70 — Tue, 06 Sep 2011 11:16:37 GMT

Hello,

We run an Alpha Server DS20E - VMS 8.3, SSH 5.5, TCPIP 5.6-ECO 5

We can Secure FTP with the command "$ SFTP2" to other servers on our corporate network (WAN)

We can FTP through our proxy to EXTERNAL FTP sites.

We wish to Secure FTP through our proxy to EXTERNAL Secure FTP sites.

How can this be achieved?

I can acheive a similar result from a Windows XP PC on the same network. I use PUTTY which allows the setup of a proxy and secure FTP is acheived to EXTERNAL clients. Trying to setup something similar

for our VMS system.

Re: Secure FTP on VMS

Hoff — Tue, 06 Sep 2011 12:43:11 GMT

While sharing three letters in its name and its purpose, sftp is entirely different from ftp. And to add confusion, ftps is ftp via ssl; yet different.

Traditional sftp cannot typically be proxied without breaching the protocol security; a proxy server is seeking to perform a Man-in-the-Middle protocol attack, and sftp and ssh are intended to avoid exposures to that and to flag that.

Traditional ftp can be proxied, and (barring an ftp connection via a site-to-site or client-to-site VPN, stunnel, or related) is exquisitely insecure, in addition to its usual issues with navigating firewalls.

OpenVMS with TCP/IP Services offers both ftp client and server, and variants of SSH's sftp client and server.

Talk with your corporate network IT and network security here around firewall options and protocols. Some sites limit sftp and ssh (because they can't sniff it) and some prefer the secure protocols to telnet and ftp (which can be sniffed, and which do trivially expose the login credentials in cleartext).

Re: Secure FTP on VMS

Jose_Baars — Mon, 12 Sep 2011 17:11:13 GMT

SFTP' ing through a proxy is not possible using the standard SFTP tool
as supplied with TCP/IP services.

Curl would be an alternative, but the currently standard curl build for VMS
does not offer SSH.

You might have luck with a creative STunnel solution, but that would
be a lot of work to set up and maintain, and could open up a lot of
unintended security holes.

I humbly beg to disagree with Hoff that SSH over an HTTP connect proxy
(the usual proxy type) would break the protocol any more than another
network component like a router or a switch would.

Re: Secure FTP on VMS

Hoff — Mon, 12 Sep 2011 17:59:19 GMT

This so-called forum software is utter dreck.

Some folks mean proxying over a protocol. Some mean to establish a connection via an intermediate proxy host.

If you can intercept ssh (which is what a proxy host does), then there's a problem with your certificate vendor, or with your local certificate security or ceriticate authority, or you've deliberately decided to expose your secured traffic to traverse the proxy host.

If somebody is blocking ssh for whatever reason, then yes, you can proxy over DNS or http or otherwise (and which is an end-to-end connection and should be secure), via a tool such as corkscrew via an ssh ProxyCommand via netcat or such and bypass the filters, or you can potentially use multi-hop ssh. (And some of these mean you really need to trust that proxy host.)

Re: Secure FTP on VMS

robert70 — Tue, 13 Sep 2011 14:03:41 GMT

Thank you both for your replies

Not exactly the answers I was looking for so

I propose to keep these procedures on a networked PC for the time being as I have a process working using PUTTY PSFTP.

Re: Secure FTP on VMS

Hoff — Tue, 13 Sep 2011 15:07:44 GMT

Escalate this to management. A security policy or firewall rule that might well be a reasonable design in the generic but that's now in the way of fulfilling a specific business requirement can usually be removed or adjusted through the assistance of management. These sorts of trade-offs are what management gets paid for, after all.

Re: Secure FTP on VMS

Richard J Maher — Thu, 15 Sep 2011 03:08:20 GMT

I'm sure IPSec (that has been on the roadmap for ober 10 yrs) must be available on VMS real soon now.

Could provide the security you require?