Top

SecureFtp

Secure Ftp (SFTP) is a secure method? to transfer files across a network.

Background

Unlike regular FTP, which offers no encryption, SFTP encrypts both the password used to sign on to the system as well as the transfered data.

Although the encryption process? requires more data to be sent between computers, as well as requiring processing time? to encrypt and decrypt at both ends, we have faster processors and "fatter" networks than we did a couple of years ago, resulting in no noticable slowdown (for small to medium-size files).

Software

• Under Linux (and other unix-type systems), both SSH and SFTP are usually installed on new systems.
  • Most linux distros? include packages (.rpms, .debs, .tgzs, ...) of open ssh?
  • For more information, see http://www.openssh.org

• Under Windows, try PuTTY or WinSCP?

• Under OSX, both SSH and SFTP are installed by default. For GUI front ends? to these, try JellyfiSSH? and Fugu?

A Snag with SFTP and chroot

Dartmouth is working on migrating all of its systems (and users.. that's the hard part? :-) to secure protocols?.

As a part of the move, Webster? (Dartmouth primary webserver) needs to be migrated from FTP access to SFTP access. Currently, when a user uses FTP to connect to Webster, they are working in a "chrooted directory", which is a fancy way of saying that it looks like the base HTML directory is root (i.e. "/").

Chrooting is a very secure method of protecting a server, because a user can't access any programs or files that aren't under the "fake root" that they see. In fact, you have to be careful and put programs such as "ls", "cp", etc.. in the "fake root" directory, or else the user can't do anything!

Unfortunately, SFTP does not offer a method of "chrooting", so a user is not restricted to a "chroot jail?" (yes, it's really called that).

But... there are a couple of different ways to create the chroot jail:

• http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-linux/2001-11/0001.html
  • (2001, ssh.com software) -- Gives information on how to "limit users...to SFTP ..without a login shell?" and "...keep a user chrooted in their home directory..."

• http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.howto.txt
  • (2003?, open ssh? software) -- more information

• http://chrootssh.sourceforge.net/
  • (2003, open sssh?) Some guy has information about making a chrooted environment for SSH and SFTP together.

So in conclusion, although there have been problems creating a chrooted environment? with SFTP in the past, I think that using the documentation above and carefully planning our system, we can be successful with a secure setup.

NOTE: we must remember to upgrade all of the executables in the chroot jail? at the same time as the executables for the rest of the system. Even if intruders cannot penetrate the chroot, they could cause damage by deleting or modifying files in the chrooted environment.

RobinsonTryon - 17 Mar 2003