HomeSupport

A Secure Replacement for FTP

Background

FTP (File Transfer Protocol) was designed at a time when the number of servers on the Internet could be counted on one hand so it was never designed with security in mind. In those early days of the Internet, system administrators knew each other personally and trusted each other. Today, with dozens of millions of hosts on the Internet and with the number of people who have bad intent, it is no longer sufficient to rely on such antiquated protocols. One of the biggest problems of FTP, and what makes it particularly unsuitable for security-conscious system administrators and webmasters, is that authentication is done via login and password information sent as plain-text, i.e. not encrypted.

Today, no responsible webmaster would have users authenticating on a web site without using SSL (https) but many of them seem to be blissfully ignorant of the risks posed by sending FTP passwords in the clear. Fortunately, there is a good alternative, scp (secure copy), which is based on the ssh (secure shell) protocol. In our case, we will be using RSA PKI (Public Key Infrastructure) to secure the connection between your computer and the server. This is often referred to as "two-factor authentication". It relies on two things, something you know, a passphrase, and something you have, a private key. Even if an attacker was able to guess your passphrase, it would not do any good without having physical possession of your private key.

In this HOW-TO, we will generate an RSA public/private key pair, put the public key on the web server, use a key manager to manage your private key, and configure the client to take advantage of the RSA key based authentication. This eliminates the need for Dinamis personnel to send a password to you by insecure means, such as by e-mail, and for anyone but you to know the passphrase for your private key. Once you have your private key unlocked and being managed by the key manager, which runs on your computer, you can initiate as many sessions as you like without having to authenticate for each session.

The following HOW-TO outlines how to set up public key ssh authentication in order to transfer to and from your Linux web server in a secure fashion and also to get a secure shell to Linux. If you do no know what a secure shell is, you can ignore that capability.

If You Are Running Windows


Installing Prerequisite Applications

  1. Download and install PuTTY, which is a free implementation of the ssh (secure shell) and scp (secure copy) protocols for Windows. You should select the Windows installer rather than just the zip file.
  2. Download and install WinSCP, which is a GUI (Graphical User Interface) front-end to the scp application provided by PuTTY.

Generating Your Public/Private Key Pair

  1. Start PuTTYgen from the PuTTY application group. You should see something like this:
    PuTTY Key Generator
  2. Click on the "Generate" button and move the mouse around randomly in the grey area.
  3. Once the RSA key has been generated, you should see something like this:
    Generated SSH-2 RSA Key
  4. Enter something meaningful for the key comment, e.g. subtitute your initial and last name with no spaces for "my" in "my-key". Assign a passphrase for the private key. The usage of the word "phrase" is deliberate. It should be something longer than what you would normally use for a password because you will only have to enter it once per session, not once per connection. Protect this passphrase! If someone steals your private key, without knowing your passphrase, your private key would be useless to them.
  5. Save both the private and public keys. The private key will be automatically assigned a .ppk extension. You should use the same initial and name scheme as above. E.g. John Smith's private key would be jsmith.ppk and his public key would be jsmith.pubkey.
  6. Copy the text in the area titled "Public key for pasting into OpenSSH authorized_keys file:" and paste into a plain-text document.
    gen3
  7. Note: the text must be all on one line with no line breaks as below.
    Text must be all on one line.
  8. Save the text file with a meaningful name, e.g. jsmith.public.key, and send it as an email attachment to the person at Dinamis who requested the key from you. If you know how to digitally sign your email, all the better.

Gaining Access to a Dinamis.com Server From Windows

Once you have received confirmation from Dinamis that your key has been received and added to the authorized_keys file on the server, continue with the following steps.

  1. Launch PuTTY from the PuTTY group. In the Sessions section, do the following:
    1. Enter either a host name or IP address in the Host Name (or IP Address) field - host name is preferred.
    2. Select SSH for Protocol.
    3. Enter a short but meaningful name in the Saved Sessions field. If you ever use the command line pscp (secure copy) tool provided in the PuTTY suite, you will appreciate having a short saved session name. The saved session name is simply your way of referring to this session, nothing else.

    PuTTY Session Configuration Screen Shot

  2. In the Connection section, enter the username in the Auto-login username field. This is the Linux shell account name that you will have been assigned.
    PuTTY Session Configuration Screen Shot
  3. In the Connection>>SSH section, select 2 only for the Preferred SSH protocol version.
    PuTTY Session Configuration Screen Shot
  4. In the Connection>>SSH>>Auth section, click on the Browse button and select the previously created private key.
    PuTTY Session Configuration Screen Shot
  5. In the Session section, click on the Save button to save the session settings that you have just created. You are now ready to start an ssh or scp session to the remote Linux server from Windows.
  6. Double click on the private key that you had previously saved from PuTTYgen. It should have a .ppk extension. Enter your passphrase. You should see the PuTTY key manager, Pageant, running in the System Tray. You could create a shortcut to your private key in the Windows Startup group if you wish to always unlock your private key when you login to Windows.N.B. There are security implications to keeping one's private RSA key loaded in memory at all times. For further information, refer to Chapter 8 in the PuTTY help file.
    Pageant Key Manager Screen Shot
  7. Right mouse click on the Pageant icon in the System Tray and select Saved Sessions>>Your Session Name to start an ssh session to the SME Server. The first time you start a session to a host that you have never connected to before, PuTTY will put up a warning dialog you should accept unless you have reason to suspect that the host that you think you are connecting to is not really the host you are connecting to. Once you have accepted PuTTY's warning, you should be at shell prompt for someuser with no further passwords or authentication necessary. As long as you have your private key unlocked and managed by Pageant, you will not need to enter any passwords to open additional ssh sessions to the server. At this point, unless you know what to do with a Linux shell, you should close the PuTTY window that has the remote Linux shell.
  8. Launch WinSCP from the WinSCP group. You should see a window like this:
    WinSCP Initial Window Screen Shot
  9. Click on the "Tools" button and select "Import" from the pop up menu. You should see the PuTTY saved session that you had configured above. Select that saved session and the "Import cached host keys for checked sessions" checkbox and click on the "OK" button.
  10. Select the saved session name in the WinSCP Login window and click on the "Login" button. You should see a window like below. You can copy to and from the server in the usual manner, by dragging and dropping.
    WinSCP Session Window Screen Shot

If You Are Running OS X

If you are running OS X and you do not already have a public/private key pair, you can generate a key pair by starting Terminal in OS X and typing the following.

ssh-keygen

You will see output like the following. When you are prompted for the file name in which to save the key, just hit return to accept the default. When you are prompted for the passphrase, enter something sufficiently complex that someone cannot guess it. You can manage this passphrase with keychain later.

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/cilkay/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/cilkay/.ssh/id_rsa.
Your public key has been saved in /Users/cilkay/.ssh/id_rsa.pub.
The key fingerprint is:
aa:92:77:5b:5f:90:38:47:57:c6:2b:e0:d5:90:e9:ab cilkay@ganges
The key's randomart image is:
+--[ RSA 2048]----+
| .*o |
| . +oo |
| ..+. . |
| o.oo . |
| S + o |
| . o .. |
| . . . .. |
| o .... .E. |
| o.... . |
+-----------------+

Copy your public key to a file with a meaningful name, e.g. jsmith.public.key. Obviously, substitute your name for "jsmith". That file will be placed at the root of your home directory.

cd
cp ~/.ssh/id_rsa.pub jsmith.public.key

Attach the public key (id_rsa.pub) to an email and send it as an email attachment to the person at Dinamis who requested the key from you. If you know how to digitally sign your email, all the better.

You will probably want to use some GUI client to do file transfers just like you may be used to doing with ftp clients. Fugu and Cyberduck are two good examples.

Optional - Mount Filesystems on Remote Servers as a Volume in Finder Using SSHFS

  1. Download and install MacFUSE.
  2. Download and install SSHFS-GUI. Watch the video on that page to see how to set it up.
  3. Enjoy treating the filesystem on your web server as just another Mac volume accessible in the Finder.

If You Are Running Linux

If you are running Linux and you do not already have a public/private key pair, you can generate a key pair by starting a shell and typing the following.

ssh-keygen

You will see output like the following. When you are prompted for the file name in which to save the key, just hit return to accept the default. When you are prompted for the passphrase, enter something sufficiently complex that someone cannot guess it. You can manage this passphrase with your key agent later.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/cilkay/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cilkay/.ssh/id_rsa.
Your public key has been saved in /home/cilkay/.ssh/id_rsa.pub.
The key fingerprint is:
56:c0:da:83:d8:f6:36:86:dd:32:3a:12:bd:46:c7:ec cilkay@nile
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| .. |
| o + . |
| . = o. |
| o *So |
| . +.% . |
| o B + |
| . = E |
| o . |
+-----------------+

Copy your public key to a file with a meaningful name, e.g. jsmith.public.key. Obviously, substitute your name for "jsmith". That file will be placed at the root of your home directory.

cd
cp ~/.ssh/id_rsa.pub jsmith.public.key

Attach the public key (id_rsa.pub) to an email and send it as an email attachment to the person at Dinamis who requested the key from you. If you know how to digitally sign your email, all the better.

There is no shortage of GUI scp and SSHFS clients for Linux.

‹ SupportupConfigure Microsoft Outlook to be an IMAP Email Client ›