03-03-2004 04:17 PM
My question is how do I generate a certificate in the first instance to send to the folk who own the ftp server who will in turn send me back a newly generated certificate. Second question is what do I then do with this certificate.
As you've gathered I'm slightly confused with the steps in configuring sftp.
03-03-2004 04:21 PM
sftp doesn't really use these certificates but I suppose you could force it.
Owner of ISN Corporation
03-03-2004 06:41 PM
You don't need to exchange certificates, that is mostly used when signing email.
Your ssh server (sshd) has generated it's own certificate, the first time someone connects to it he/she has to manually accept it.
So, when you connect to the remote sftp server, you might need to accept a certificate once, but that's probably not even required. The traffic would be encrypted from the start and you should be able to log in and transfer files.
03-04-2004 08:27 PM
PKI certificates can be used in a number of ways. SSH uses a public/private key pair simply to ensure that converstations can be encrypted, and to ensure that parties are who they claim to be. However, the major problem is that the first time you connect to a host you are given the option of accepting their key, and thus taking it as being the way of checking their identity. If you were to accept this key from a trojaned host, then you would forever accept them as the real host.
PKI when used in email uses a construction known as an X.509 format certificate. This certificate has been constructed in such a way that it is bound to the rightful owner, and cannot be changed, or used by an imposter, without you being able to detect it. For an in-depth explanation of this process see www.verisign.com.
SSL (Secure Sockets Layer) is a component of many "secure" network services, though it is also completely invisible to the end-user, therefore I wouldn't really worry about it.
To generate a public/private key pair for use with ssh/scp, or sftp, use:
ssh-keygen -t rsa
and then send the remote user the ~/.ssh/id_rsa.pub file. They can then set up their system so that you can access it (as this user) without a password.
If you want them to access your system (for a particular user) get them to send you their id_rsa.pub file and append it to your ~/.ssh/authorized_keys file.
03-08-2004 02:30 AM
By installing OpenSSH, you get "ftp over ssh". If you want a server that supports "ftp over ssl" then -- AFAIK -- you'll need to buy one. Anyone know of an opensource FTP+SSL server?
03-13-2004 06:01 PM
If you are into FTP over SSL, give stunnel a try.
However, considering the limitations tunneling FTP over SSL, i.e. you need to cater for both FTP CONTROl and FTP DATA traffic, you are much better off using SFTP (FTP over SSH).
There is no need for certificates. Trust relationship using public/private key pairs should suffice such that secure FTP can be performed via automated scripts or cron jobs without passwords being entered.
Hope this helps. Regards.
Steven Sim Kok Leong