How to put a secure layer between a FTP-daemon and the network?
Extracted from askslashdot
Tip provided by ?
Tobbe Johansson asks: "I would like to put a secure layer between my FTP-daemon
and the network. I have searched for a program that encrypts/decrypts the port
where my FTP is running but I have not been able to find anything that seems to
work. Can anyone help me?"
ssh + ftp passive mode :
Use ssh's port forwarding, combined with ftp's passive mode. man ssh.
Last time I installed ssh2, I think it came with a client/server package called
sftp. Or maybe someone dropped crack in my mountain dew. You should be able to
tunnel it through ssh if not.
try here for various ssl based apps
Secure FTP: A few ways :
As a previous poster suggested, use ssh with port forwarding. You might want to see
the SSH FAQ:
As it points out, this will leave the data connection open to sniffing/hijacking.
If you only care about the integrity of the files you transfer, then verifying
against (securely obtained) md5 checksums should do the trick. If you want to
encrypt the datastream, you'll need to be a bit more fancy.
If it's possible, consider the use of 'scp' instead of ftp; you'll get protection
of both control and data, since it's built into ssh.
Another option (if you control the clients as well) is to use ssh2's "sftp" client.
Beware the licensing issues with ssh2, however.
If you really trust the clients, it's also quite easy to set up a VPN between the
client and server, and then FTP directly. The ways to go about this depend on the
OS you're using, so I'll leave it as an exercise to the reader.
secure FTP :
You can use SSH to encrypt the control connection (i.e. secure your passwords), but
it is a pain to also encrypt the data.
If you want everything to be safely encrypted, your choices are:
(1) Use scp (part of ssh) to do the transfers. Works like rcp, can also copy over
whole directories recursively.
There are also free versions of scp out there for win and mac.
(2) Use a SSL-ified FTP server and program. (check www.ssleay.org for a link).
Problem: I don't know of any SSL FTP programs out there for win or mac
IPsec as an option :
If they are both Linux, then look at:
Not only will your FTP be encrypted, but so will
your Telnet, HTTP, and even your pings. The good
thing about this would be that you don't need any
special client or server applications.
Isn't this what SSL is for ? :
Look in ftp://ftp.uni-mainz.de:/pub/internet/security/ssl/SSLapps/ for some SSL-aware
telnet/ftp clients and servers.
Kerberized FTP :
I'm pretty sure that MIT's athena distribution provides a modified version of FTP
which has kerberos support. This allows for secure authentication, but I'm not sure
if the anything else is encrypted. If authentication is all that you need to be
secure you might want to check it out. Kerberos can be a pain to get working, but
once it is working it's really nice (i.e., you enter a password once and all your
kerberos enabled programs never bug you for a password).
Ssh port forwarding would probably also work, but everybody else has already
suggested that so I figured I'd throw out a different option.
If you download MIT Kerberos 5 ( http://web.mit.edu/kerberos/www/ ), it
includes GSSFTP which is a Kerberized FTP
service. Unless you have a Kerberos infrastructure at your location, however, this
may be an excessively complicated solution for you.
sendfile (for something completely different) :
If security is a big concern, and your ftp site is really only for a select group
of people, you may wish to consider the sendfile suite of utilities based on the
SAFT (?) protocol. Basically, it's akin to email or instant messaging systems but
with files and with decent security involved (you can filter out spurious senders
of files, no passwords need pass over the 'net).
Something to give a shot for those of you wanting to give your friend, who's too
lazy/paranoid/poor to set up an ftp server, a file.
SSL/TLS FTP :
You can use an industry standard encryption and authentication protocol with FTP
supported by various clients.
First, go to http://www.openssl.org/ . OpenSSL is based on SSLeay and is the basis
for open source SSL communications in unix. You'll want to grab openssl and compile
it and install it. It provides a number of useful programs including md5 & sha for
generating checksums on files and a whole suite of other cipher routines.
Next visit http://www.psy.uq.oz.au/~ftp/Crypto/ and go find an FTP server and
client pair which have SSL support. There are also a few general proxy deals which
can handle it with any standard FTP server.
Now there are a few ways to do authentication, you can do normal authentication or
authentication based on certificate which requires a CA server (things like
verisign will work if you want to shell out some cash, but you can also build your
The great thing about SSL is it can autodetect encryption support. So you can take
a standard telnet server, make a few minor modifications to get it SSL capable and
connect to it using SSL capable telnet client or a vanilla telnet client and it'll
use the strongest security possible.
No need for silly third party daemons or special ports. Although the official TLS
service ports are different from their unencrypted couterparts.
This is good if you are behind a corporate lan which doesn't like allowing anything
besides telnet, ftp, and web traffic through their proxy.
CIPE - Crypto IP Encapsulation :
CIPE - encrypted IP over UDP tunneling
"This is an ongoing project to build encrypting IP routers. The protocol used is as
lightweight as possible. It is designed for passing encrypted packets between
prearranged routers in the form of UDP packets. This is not as flexible as IPSEC
but it is enough for the original intended purpose: securely connecting subnets
over an insecure transit network. The implementations mentioned below are actually
in use in such an application."
The newest version of CIPE is available on
It also works well for getting around those pesky universtity firewalls.
Secure FTP ? :
Have a look at:
Previous | Next | Index of category | Main Index | Submit |
Appears in section(s) :
Tip recorded : 16-05-1999 23:09:46
HTML page last changed : 27-07-1999 20:07:19