Obtaining and configuring Secure FTP clients
(Last modified: 11Jan2006)
This document (10085857) is provided subject to the disclaimer at the end of this document.
goal
Obtaining and configuring Secure FTP clients
fact
Novell NetWare 6.5
Novell NetWare FTP Server (NWFTPD.NLM)
cause
NetWare 6.5 introduced the capability of doing secure (SSL-encrypted) FTP sessions compliant with RFC 2228. Obtaining and configuring an FTP client which is also compliant with RFC 2228 is necessary in order to make use of this feature. The document discusses the security methods and some possible 3rd-party FTP clients and configuration suggestions. Novell attempts to insure the accuracy of this information, but as some of it applies to 3rd-party software, there may be errors or omissions.
Note that this topic - securing traditional FTP through SSL, compliant with RFC 2228 - is not connected with the subject of OpenSSH it's SFTP. OpenSSH and it's SFTP are completely different protocols from traditional FTP and SSL (although, in some cases both types can be done from within one client program).
fix
FTP Security Extensions Overview
Introduction
This document gives an overview about security extensions and describes the behavior of the FTP server with a few secure FTP Clients. There are many more secure FTP clients available than those listed here. This document is not meant to imply that these are the preferred clients. These are simply some which Novell has tested. Also note that this document is only meant to discuss the traditional FTP protocol (as per RFC 959) extended to run under SSL (as per RFC 2228). This information does not apply to SSH or it's SFTP service.
Description:
Netware 6.5 FTP Server enables secure ftp clients (that support SSL, TLS mechanisms) to establish secure connections with the server. As soon as a connection is established, the client and the server negotiate the security parameters. On successful negotiation, they begin to communicate securely. Currently the Netware 6.5 FTP server supports the following mechanisms and commands related to security extensions.
- SSL, TLS, TLS-C , and TLS-P encryption mechanisms.
- Command channel and Data channel encryption are supported.
- Support commands:
a. AUTH <Mechanism Name> b. PBSZ <Protection Buffer Size> c. PROT <Protection Level>
Some Secure FTP Clients:
1. SmartFTP v1.0. : This is a GUI-based FTP client with the ability to do secure connections.
Location : http://www.smartftp.com/
First the client has to be configured to set up a secure session. Follow these steps:
a. Go to Tool->Settings->Connections->SSL.
In the "Auth Mode" field select "SSL" (or whatever mechanism is preferred).
In the "Data Connection Mode" select "Private Data Connection," unless you prefer data connections remain un-encrypted, in which case select "Clear Data Connection."
b. Creating a client Certificate is optional. Netware FTP server does not need a client certificate.
c. Click OK to close the Settings window.
d. On the Address Bar, drop down the "Address" item (not the address itself, but the page icon next to the word "Address"). Select FTP Over SSL (Explicit).
Location: http://www.coreftp.com
In Site Manager, when defining a site:
a. Under SSL Options, mark Auth SSL or Auth TLS (not SSL Direct). This will enable SSL-encrytped FTP control connections. (Encrypted commands, i.e. so usernames, passwords, etc. are protected).
b. Select either OpenSSL or Windows SSL (both should work, but Novell officially supports OpenSSL).
c. Optionally select SSL Listings (for encrypted directory lists) and SSL transfers (for encrypted file transfers).
d. Core FTP also offers an option for SSH/SFTP. This is for SSH and it's Secure File Transfer Protocol (a different protocol). If selected that will try to connect via Secure Shell to SSHD (SSHD.NLM) rather than through FTP using SSL, to NWFTPD.NLM. SSHD is outside the scope of this document, but Core FTP works well with NetWare 6.5's SSHD.NLM as well.
3. WS_FTP Pro. This GUI FTP client offers SSL security as well, and works with Novell FTP on NetWare 6.5 SP3 and NetWare OES. Details will be added here later.
Location:&n.bsp; http://www.wsftp.com/
4. Cute FTP Pro. This GUI FTP client offers SSL security as well, and works with Novell FTP on NetWare 6.5 SP3 and NetWare OES. Details will be added here later.
Location: http://www.cuteftp.com/
5. Secure FTP 2 . This is a text (command line) based Secure FTP client.
Location: http://www.glub.com/products/secureftp/download.shtml
Note: you should install java for this client. It is available at http://java.sun.com/j2se/1.3/download.html
Here is an example of a FTP connection dialog when using this client:
ftp> open <server_name>
Generating the random seed... done.
Attempting to make an implicit SSL connection to <server_name> on port 990.
Connection failed.
Attempting to make an explicit SSL connection to <server_name> on port 21.
220 Service Ready for new User
AUTH TLS
https://primus.i-login.net/iView/ui/234 Enabling SSL
PBSZ 0
200 Protection Buffer Size set. PBSZ=0
PROT C
200 Protection Level is set
Name (<server_name>): <user_name>
After logging in, use the command dataencrypt to toggle between clear and encrypted data channel encryption.
6. ftps. This is a command line FTP client from Free BSD which can be installed in Windows and Unix machines.
Location: http://bsdftpd-ssl.sc.ru/
Note: you should install the binaries for OpenSSL. Available in the same location.
Example of connection dialog:
220 Service Ready for new User
Name (<server_name>:none): .user.novell
---> AUTH TLS
234 Enabling SSL
[TLSv1/SSLv3, cipher DES-CBC3-SHA, 168 bits]
---> USER .admin.novell
331 Password Needed for Login
Password:
---> PASS XXXX
230 User admin Logged in Successfully
---> SYST
215 NETWARE Type : L8
Remote system type is NETWARE.
ftps> prot
---> PBSZ 0
200 Protection Buffer Size set. PBSZ=0
---> PROT C
200 Protection Level is set
TLS/SSL protection of data connections off.
ftps>
This client has implemented "PROT on/off" command to enable or disable encryption on data channel. The data channel is encrypted by default. To toggle between secure and insecure data channels type Prot on and Prot Off respectively.
7. sslftp. This is a command line secure FTP Client. To work with NetWare, it must be version 2.2s, January 9, 2006, or later. To check your version, give the command: sslftp -version
Location: http://www.netwinsite.com/surgeftp/sslftp.htm
If the above link does not hold version 2.2s or later, use the following link: http://netwinsite.com/ftp/surgeftp/sslftpi2-2s_windows.exe
<./U>To use this client:
Issue the command: sslftp <servername>
Example of the full connection dialog the above sequence generates:
C:\>sslftp 10.1.2.3
read 1964> 220 Service Ready for new User
220 Service Ready for new User
out 1964> AUTH TLS-P
read 1964> 234 Enabling SSL
234 Enabling SSL
starting SSL/TLS
secure protocol SSLv3 used.
Could not open (C:\WINDOWS\netrc.txt) No such file or directory
(secure) User: test1
out 1964> USER test1
read 1964> 331 Password Needed for Login
331 Password Needed for Login
(secure) Password: *******
out 1964> password sent
read 1964> 230 User test1 Logged in Successfully
230 User test1 Logged in Successfully
Type in "save" to save login details to C:\WINDOWS\netrc.txt
sslftp> literal pbsz 0
n=3 arg_str={pbsz 0} p[0]={literal} p[1]={pbsz} p[2]={0} p[3]={(null)}
out 1964> pbsz 0
200 Protection Buffer Size set. PBSZ=0
sslftp> literal prot p
n=3 arg_str={prot p} p[0]={literal} p[1]={prot} p[2]={p} p[3]={(null)}
out 1964> prot p
200 Protection Level is set
document
| Document Title: | Obtaining and configuring Secure FTP clients |
| Document ID: | 10085857 |
| Solution ID: | NOVL91605 |
| Creation Date: | 04Aug2003 |
| Modified Date: | 11Jan2006 |
| Novell Product Class: | NetWare |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.