Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Secure FTP?

Posted by Cliff on from the for-the-paranoid-sysadmin dept.

Tobbe Johansson asks: "I would like to put a secure layer between my FTP-daemon and the network. I have searched for a program that encrypts/decrypts the port where my FTP is running but I have not been able to find anything that seems to work. Can anyone help me?"

14 of 85 comments (clear)

  1. secure FTP by Anonymous Coward · · Score: 2

    You can use SSH to encrypt the control connection (i.e. secure your passwords), but it is a pain to also encrypt the data.

    If you want everything to be safely encrypted, your choices are:

    (1) Use scp (part of ssh) to do the transfers. Works like rcp, can also copy over whole directories recursively.

    There are also free versions of scp out there for win and mac.

    (2) Use a SSL-ified FTP server and program. (check www.ssleay.org for a link).

    Problem: I don't know of any SSL FTP programs out there for win or mac

  2. IPsec as an option by Anonymous Coward · · Score: 2

    How about running IPsec between the two boxes.
    If they are both Linux, then look at:
    http://www.flora.org/freeswan/
    Not only will your FTP be encrypted, but so will
    your Telnet, HTTP, and even your pings. The good
    thing about this would be that you don't need any
    special client or server applications.

  3. SSL/TLS FTP by Jordy · · Score: 5

    You can use an industry standard encryption and authentication protocol with FTP supported by various clients.

    First, go to http://www.openssl.org/. OpenSSL is based on SSLeay and is the basis for open source SSL communications in unix. You'll want to grab openssl and compile it and install it. It provides a number of useful programs including md5 & sha for generating checksums on files and a whole suite of other cipher routines.

    Next visit http://www.psy.uq.oz.au/~ftp/Crypto/ and go find an FTP server and client pair which have SSL support. There are also a few general proxy deals which can handle it with any standard FTP server.

    Now there are a few ways to do authentication, you can do normal authentication or authentication based on certificate which requires a CA server (things like verisign will work if you want to shell out some cash, but you can also build your own CA).

    The great thing about SSL is it can autodetect encryption support. So you can take a standard telnet server, make a few minor modifications to get it SSL capable and connect to it using SSL capable telnet client or a vanilla telnet client and it'll use the strongest security possible.

    No need for silly third party daemons or special ports. Although the official TLS service ports are different from their unencrypted couterparts.

    This is good if you are behind a corporate lan which doesn't like allowing anything besides telnet, ftp, and web traffic through their proxy.

    --

    --
    The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.
  4. Re:SSH can do it... by J4 · · Score: 2

    Actually ssh2 already has an sftp.....

  5. Re:.slightly off topic... by Prothonotar · · Score: 2

    That's dependant on the ftp server, smartie. I doubt a WinNT ftp server would be able to tar directories for you.
    --
    Aaron Gaudio
    "The fool finds ignorance all around him.

    --
    "Every man is a mob, a chain gang of idiots." - Jonathan Nolan, Memento Mori
  6. SSH can do it... by Orion · · Score: 3

    Secure shell can tunnel anything, including FTP connections. You could probably even throw together a wrapper script called sftp or something. It just means that the server has to have secure shell as well as ftp.

  7. Re:Stanford's SRP by jnazario · · Score: 2

    yeah, i have. i really like it. both the telnet and ftp daemons work well in encrypted mode, and more importantly they handle unencrypted sessions perfectly, too. clients exist for most platforms, keysize can be huge (i use 1024 bit keys, myself), and it's transparent to the user (unlike ssh), so you don't have to "retask" them.

    http://srp.stanford.edu/

    enjoy, it works well!

    --
    jose nazario jose@biocserver.cwru.edu
  8. CIPE - Crypto IP Encapsulation by yonderboy · · Score: 3

    CIPE - encrypted IP over UDP tunneling

    "This is an ongoing project to build encrypting IP routers. The protocol used is as lightweight as possible. It is designed for passing encrypted packets between prearranged routers in the form of UDP packets. This is not as flexible as IPSEC but it is enough for the original intended purpose: securely connecting subnets over an insecure transit network. The implementations mentioned below are actually in use in such an application."

    The newest version of CIPE is available on
    http://sites.inka.de/~bigred/devel/cip e.html
    or ftp://sites.inka.de/sites/bigred/devel/cipe.html

    It also works well for getting around those pesky universtity firewalls.

  9. sendfile (for something completely different) by tm23 · · Score: 3

    If security is a big concern, and your ftp site is really only for a select group of people, you may wish to consider the sendfile suite of utilities based on the SAFT (?) protocol. Basically, it's akin to email or instant messaging systems but with files and with decent security involved (you can filter out spurious senders of files, no passwords need pass over the 'net).

    Something to give a shot for those of you wanting to give your friend, who's too lazy/paranoid/poor to set up an ftp server, a file.

  10. Stanford's SRP by gdon · · Score: 2

    The Secure Remote Password protocol (SRP) provides a supposedly secure login session as well as an encrypted channel if you wish. The web site is well documented. Has anybody used this in the Real World ?

    --
    gdon
  11. Re:Internet Draft by remande · · Score: 2

    The two commercial secure FTP solutions are FileDrive (www.differential.com) and Connect:Mailbox (www.sterlingcommerce.com). Do these follow your draft? What commercial solutions do? Thanks in advance!

    --

    --The basis of all love is respect

  12. GSSFTP by Jered · · Score: 2

    If you download MIT Kerberos 5, it includes GSSFTP which is a Kerberized FTP service. Unless you have a Kerberos infrastructure at your location, however, this may be an excessively complicated solution for you.

  13. Secure FTP: A few ways by angio · · Score: 5
    As a previous poster suggested, use ssh with port forwarding. You might want to see the SSH FAQ:

    http://www.uni-karlsruhe.de/~ig25/ssh-faq/

    As it points out, this will leave the data connection open to sniffing/hijacking. If you only care about the integrity of the files you transfer, then verifying against (securely obtained) md5 checksums should do the trick. If you want to encrypt the datastream, you'll need to be a bit more fancy.

    If it's possible, consider the use of 'scp' instead of ftp; you'll get protection of both control and data, since it's built into ssh.

    Another option (if you control the clients as well) is to use ssh2's "sftp" client. Beware the licensing issues with ssh2, however.

    If you really trust the clients, it's also quite easy to set up a VPN between the client and server, and then FTP directly. The ways to go about this depend on the OS you're using, so I'll leave it as an exercise to the reader.

  14. ssh + ftp passive mode by modus · · Score: 3

    Use ssh's port forwarding, combined with ftp's passive mode. man ssh.