1748169 Members
3864 Online
108758 Solutions
New Discussion юеВ

Re: Sftp query

 
Phil Storer
Advisor

Sftp query

Have just installed Secure shell A.03.71 on my a HP-UX 11.11i system to enable me to use make use of sftp so that I can set up a 'SSL compatible ftp client' to access a ftp server that only allows secure connections i.e. both client and server will exchange certificates.

My question is how do I generate a certificate in the first instance to send to the folk who own the ftp server who will in turn send me back a newly generated certificate. Second question is what do I then do with this certificate.

As you've gathered I'm slightly confused with the steps in configuring sftp.
5 REPLIES 5
Steven E. Protter
Exalted Contributor

Re: Sftp query

Docs on ssl

http://www.google.com/url?sa=U&start=1&q=http://www.orionserver.com/docs/ssl.html&e=747

http://www.google.com/url?sa=U&start=10&q=http://nicgrabhosting.nicgrab.com/Part5/SSL.htm&e=747

http://www.ssl.org
http://www.modssl.org

sftp doesn't really use these certificates but I suppose you could force it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Robert Binkhorst
Trusted Contributor

Re: Sftp query

Hi,

You don't need to exchange certificates, that is mostly used when signing email.

Your ssh server (sshd) has generated it's own certificate, the first time someone connects to it he/she has to manually accept it.

So, when you connect to the remote sftp server, you might need to accept a certificate once, but that's probably not even required. The traffic would be encrypted from the start and you should be able to log in and transfer files.

HTH,

Robert
linux: the choice of a GNU generation
Andrew Cowan
Honored Contributor

Re: Sftp query

I think that you're a getting a bit mixed-up here.

PKI certificates can be used in a number of ways. SSH uses a public/private key pair simply to ensure that converstations can be encrypted, and to ensure that parties are who they claim to be. However, the major problem is that the first time you connect to a host you are given the option of accepting their key, and thus taking it as being the way of checking their identity. If you were to accept this key from a trojaned host, then you would forever accept them as the real host.

PKI when used in email uses a construction known as an X.509 format certificate. This certificate has been constructed in such a way that it is bound to the rightful owner, and cannot be changed, or used by an imposter, without you being able to detect it. For an in-depth explanation of this process see www.verisign.com.

SSL (Secure Sockets Layer) is a component of many "secure" network services, though it is also completely invisible to the end-user, therefore I wouldn't really worry about it.

To generate a public/private key pair for use with ssh/scp, or sftp, use:

ssh-keygen -t rsa

and then send the remote user the ~/.ssh/id_rsa.pub file. They can then set up their system so that you can access it (as this user) without a password.
If you want them to access your system (for a particular user) get them to send you their id_rsa.pub file and append it to your ~/.ssh/authorized_keys file.
Tim Maletic
Valued Contributor

Re: Sftp query

In case the above hasn't made clear, there are two different protocols that go under the name of "secure ftp" or "sftp". Some people mean "ftp over ssh", but most "secure ftp" off-the-shelf products and Windows users mean "ftp over ssl". It's kind of like the difference between PGP and SMIME for "secure email". If you hear the word "certificate," you're talking about "ftp over ssl" (or SMIME), and not "ftp over ssh" (or PGP).

By installing OpenSSH, you get "ftp over ssh". If you want a server that supports "ftp over ssl" then -- AFAIK -- you'll need to buy one. Anyone know of an opensource FTP+SSL server?
Steven Sim Kok Leong
Honored Contributor

Re: Sftp query

Hi,

If you are into FTP over SSL, give stunnel a try.

http://www.stunnel.org/examples/ftp.html

However, considering the limitations tunneling FTP over SSL, i.e. you need to cater for both FTP CONTROl and FTP DATA traffic, you are much better off using SFTP (FTP over SSH).

There is no need for certificates. Trust relationship using public/private key pairs should suffice such that secure FTP can be performed via automated scripts or cron jobs without passwords being entered.

Hope this helps. Regards.

Steven Sim Kok Leong