realprogrammers.com

Using SFTP and SCP

SFTP and SCP are secure methods of transferring and copying files. They are part of the well respected SSH (Secure SHell) family of tools. Ordinary FTP presents the username and password in plaintext and is a somewhat less effective protocol for a number of technical as well as user-interface reasons.

SFTP and SCP can use passwords just like FTP. While the password login is secure with SFTP/SCP there are two principle downsides to this method. First, for every login somehow you need to store or remember a password. Second, if the person that set the password is different from the person using it then that password has to be transmitted to the end user. And the way that's done is almost certainly likely to be less secure than the highly secure transmission SFTP offers. (One reasonable solution is to use two 'bands': send the username and host via email and then the password by phone SMS. Correlating the two would be a substantial challenge.)

Many however prefer to avoid both these issues and use public/private key pair authentication. Once you have a key then you simply send the public key half to any prospective folks offering you access. No remembering passwords, and no compromising SSH's security by weak sharing techniques.

Creating a public/private key pair

...with WinSCP / PuTTYgen

(WinSCP is a high quality free Open Source Windows SFTP/SCP client, and PuTTYgen is taken from the PuTTY free SSH client project. Conveniently, PuTTygen is included within WinSCP.)

• select "PuTTYgen" from the WinSCP Programs -> Key tools menu
• In the "Parameters" Section at the bottom, select "SSH-2 RSA" then in the box labeled "Number of bits in a generated key:" type 2048
• click Generate
• move the mouse around as instructed to create entropy
• in the box labelled "Key comment", type in a short string to identify yourself e.g. your_name@home (note: no spaces). This key is useful for administrators managing keys. They will thank you for it!
• you may select a passphrase (password) to protect your key. This is an additional layer of security to protect your key in case someone takes it, e.g. steals your computer or snarfs it with a virus, etc
• click both the Save buttons and name your key anything you like, traditionally id_rsa.pub for public key and id_rsa for private key (it'll be named id_rsa.PPK). By default WinSCP seems to save in C:\Documents and Settings\User Name\.
• at the top of the PuTTYgen app you'll see a textbox labelled "Public key for pasting into OpenSSH authorized_keys2 file" with what probably looks like random characters starting with ssh-rsa AAAAB3Nza.... Select this whole box e.g. right-click Select All, then right-click Copy.
• Paste the key into an email to your sysadmin, with a helpful subject line like "authorized_keys" (don't worry, it makes sense to them :-)

...with a Mac

The *nix command line option below can work in Terminal (Open Finder, select Applications and then Utilities), or the MacGPG free Open Source GUI client. The easiest way is to copy and paste the command below in Terminal.

...with the command line on *nix

(This can apply to Mac OS X users too.)

Simply issue the following command: ssh-keygen and follow the instructions. Use of a passphrase is highly recommended: it'll be your master password for all uses of the key. ssh-keygen will create two files in ~/.ssh: id_rsa (private key), and id_rsa.pub (public key). Please send the id_rsa.pub. An example of how to do all this is shown below: (What you type is in bold.)

my-mac:~ your-username$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/your-username/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): highly recommended
Enter same passphrase again: 
Your identification has been saved in /Users/your-username/.ssh/id_rsa.
Your public key has been saved in /Users/your-username/.ssh/id_rsa.pub.
The key fingerprint is:
21:c4:d7:97:6a:bd:d2:80:5d:61:c0:8b:05:3b:b7:bc your-username@my-mac
my-mac:~ your-username$ mail -s "id_rsa.pub" paul.makepeace@realprogrammers.com < ~/.ssh/id_rsa.pub
my-mac:~ your-username$ 

If the mail command fails, just attach the file in an ordinary email. (Copying and pasting into an email is OK but generally messes the key up with extra linebreaks which is a headache for your admin. So if possible, please attach!)

Using your SFTP client

First up, ensure your sysadmin has told you the:

• user name
• host name
• (optionally) port. The default is 22. If connections time-out make sure outgoing connections on port 22 are allowed on your firewall. Only rarely are they blocked.

When you first login (described below), the client is likely to report that it doesn't know about the server's identity. This is normal; simply click or type 'yes' to continue.

Windows

We've already seen WinSCP for Windows.

Use these values to fill out the login screen (view a sample in WinSCP). Note that using public/private keys save us from sharing a password so leave the Password field blank; instead navigate with the ... button to your id_rsa.PPK Private key file. A key point is that whatever client you use it must be somehow told about the key pair location.

Note that WinSCP has a handy Send To context (right-click) menu for uploads and transfers.

Mac

A free Open Source Mac client is Cyberduck.

1. In preferences, select Default protocol to be 'SFTP (SSH Secure File Transfer)'
2. On the Cyberduck main panel click the 'Open Connection' icon, and ensure SFTP is selected as the protocol.
3. Then enter the server and username you've been given.
4. Open the 'More options' revealer, and select 'Use Public Key Authentication'.
5. The software will drop you right in at ~/.ssh. Here, select 'id_rsa', mostly likely the first file in there. At this point back on the 'Open Connection' panel you should see '~/.ssh/id_rsa' under the 'Use Public Key Authentication' checkbox option.
6. Try it! Click Connect.
7. (If you selected a passphrase for your key Cyberduck will ask for it with a 'Private key passoword protected' panel: enter it and continue.)

A well liked payware client is MacSFTP. Note that Transmit supports public key authentication but only in a mildly obscure way: you will need to leave the password field blank and ensure your keys are in ~/.ssh as per *nix above. Thanks to Joshua McFarren for pointing this out. Finally Fugu can be made to work albeit with difficulty (start up in ~/.ssh).

There is even more detail at http://www.foothill.edu/ctis/howto/SFTP_WinSCP.html (note that this page is demonstrating a password-based login).

Admins: Creating SFTP/SCP-only accounts

The scponly mini-suite can be used to only permit sftp or scp, i.e. no login shell. Additionally, it can be configured to provide a chroot "jailed" environment that amongst other features prevents tampering with ~/.ssh. Handily, scponly provides an interactive setup_chroot.sh script:

On Debian this is like,

apt-get install scponly # Or, if it's already there:
dpkg-reconfigure scponly # to ensure setuid is on: select Yes
cd /usr/share/doc/scponly/setup_chroot
sh setup_chroot.sh