Re: Sftp query (88 Views)
Reply
Advisor
Phil Storer
Posts: 27
Registered: ‎03-04-1998
Message 1 of 6 (88 Views)

Sftp query

Have just installed Secure shell A.03.71 on my a HP-UX 11.11i system to enable me to use make use of sftp so that I can set up a 'SSL compatible ftp client' to access a ftp server that only allows secure connections i.e. both client and server will exchange certificates.

My question is how do I generate a certificate in the first instance to send to the folk who own the ftp server who will in turn send me back a newly generated certificate. Second question is what do I then do with this certificate.

As you've gathered I'm slightly confused with the steps in configuring sftp.
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 6 (88 Views)

Re: Sftp query

Docs on ssl

http://www.google.com/url?sa=U&start=1&q=http://www.orionserver.com/docs/ssl.html&e=747

http://www.google.com/url?sa=U&start=10&q=http://nicgrabhosting.nicgrab.com/Part5/SSL.htm&e=747

http://www.ssl.org
http://www.modssl.org

sftp doesn't really use these certificates but I suppose you could force it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Trusted Contributor
Robert Binkhorst
Posts: 139
Registered: ‎04-09-2003
Message 3 of 6 (88 Views)

Re: Sftp query

Hi,

You don't need to exchange certificates, that is mostly used when signing email.

Your ssh server (sshd) has generated it's own certificate, the first time someone connects to it he/she has to manually accept it.

So, when you connect to the remote sftp server, you might need to accept a certificate once, but that's probably not even required. The traffic would be encrypted from the start and you should be able to log in and transfer files.

HTH,

Robert
linux: the choice of a GNU generation
Please use plain text.
Honored Contributor
Andrew Cowan
Posts: 710
Registered: ‎02-27-2001
Message 4 of 6 (88 Views)

Re: Sftp query

I think that you're a getting a bit mixed-up here.

PKI certificates can be used in a number of ways. SSH uses a public/private key pair simply to ensure that converstations can be encrypted, and to ensure that parties are who they claim to be. However, the major problem is that the first time you connect to a host you are given the option of accepting their key, and thus taking it as being the way of checking their identity. If you were to accept this key from a trojaned host, then you would forever accept them as the real host.

PKI when used in email uses a construction known as an X.509 format certificate. This certificate has been constructed in such a way that it is bound to the rightful owner, and cannot be changed, or used by an imposter, without you being able to detect it. For an in-depth explanation of this process see www.verisign.com.

SSL (Secure Sockets Layer) is a component of many "secure" network services, though it is also completely invisible to the end-user, therefore I wouldn't really worry about it.

To generate a public/private key pair for use with ssh/scp, or sftp, use:

ssh-keygen -t rsa

and then send the remote user the ~/.ssh/id_rsa.pub file. They can then set up their system so that you can access it (as this user) without a password.
If you want them to access your system (for a particular user) get them to send you their id_rsa.pub file and append it to your ~/.ssh/authorized_keys file.
Please use plain text.
Valued Contributor
Tim Maletic
Posts: 37
Registered: ‎03-10-1998
Message 5 of 6 (88 Views)

Re: Sftp query

In case the above hasn't made clear, there are two different protocols that go under the name of "secure ftp" or "sftp". Some people mean "ftp over ssh", but most "secure ftp" off-the-shelf products and Windows users mean "ftp over ssl". It's kind of like the difference between PGP and SMIME for "secure email". If you hear the word "certificate," you're talking about "ftp over ssl" (or SMIME), and not "ftp over ssh" (or PGP).

By installing OpenSSH, you get "ftp over ssh". If you want a server that supports "ftp over ssl" then -- AFAIK -- you'll need to buy one. Anyone know of an opensource FTP+SSL server?
Please use plain text.
Honored Contributor
Steven Sim Kok Leong
Posts: 2,376
Registered: ‎09-04-1997
Message 6 of 6 (88 Views)

Re: Sftp query

Hi,

If you are into FTP over SSL, give stunnel a try.

http://www.stunnel.org/examples/ftp.html

However, considering the limitations tunneling FTP over SSL, i.e. you need to cater for both FTP CONTROl and FTP DATA traffic, you are much better off using SFTP (FTP over SSH).

There is no need for certificates. Trust relationship using public/private key pairs should suffice such that secure FTP can be performed via automated scripts or cron jobs without passwords being entered.

Hope this helps. Regards.

Steven Sim Kok Leong
Email: steven@beepz.com. Homepage: https://www.beepz.com
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation