Using SecureFTP with Public\Private Key Pair

Ever so often, one runs into a “broken” process that forces one to revisit an earlier working implementation.

One of those moments happened this week.  As always, a good and dear friend called to let me know she was no longer getting her monthly batch of files.

The Client is a Unix WorkStation and the Server is a MS Windows running VanDyke VShell Server.

The product is described a bit in http://www.vandyke.com/products/vshell/index.html

And, an introduction on how it compares to regular FTP is described in:
http://www.vandyke.com/solutions/file_transfer/secure_ftp_better_answer.html

The Vandyke VShell Server support various authentication modes:

  1. MS Windows Authentication
  2. Radius Authentication
  3. Public\Private Key Authentication

There are various tools that one can use to create public\private key pairs:

  1. Vandyke Software – SecureCRT (Licensing Mode –> Commercial)
  2. PuttyGen (Licensing Mode –> Open Source)

Public\Private Key Pairs

Server Configuration

Vandyke Software

VShell

For the Vandyke Software\VShell Application ensure that it is configured to support Public Key Authentication.

Here are the steps to configure\verify configuration:

  1. Launch VShell.exe
  2. Using the left menu tree, access the SSH2\Authentication page
  3. On the “Authentication Options” page, ensure that “Public Key” Method is “Allowed”

image

Client Configuration

Creating Key Pairs

Vandyke Software \ SecureCRT
  1. Download \ Purchase SecureCRT from Vandyke Software Product page
    http://www.vandyke.com/products/securecrt/
  2. Install the downloaded package
  3. Create keys
    1. Launch SecureCRT
    2. Access the menu items Tools\”Create Public Key”
    3. On the “Key Type” screen you have an option between DSA and RSA:
      1. Select “DSA” as many servers may not support RSA
    4. On the “Passphrase” screen you have an option as to whether you want to ‘secure” the generated private key with a passphrase.  Note that the passphrase will have to be entered each time each time the private key is “accessed”.  Though, very useful for security purpose it will diminish the automation experience
    5. On the “key size” screen indicate the Key Size.  Currently, the most popular is 1024. Key Sizes has to be a number between 512 and 2048 and be a multiple of 64.
    6. On the “Save” screen, select to “Save” as “Standard Public Key \ and VanDyke Private Key format”.

image

image

image

image

image

image

PuttyGen
  1. Download PuttyGen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
  2. Note that the PuttyGen does not need to be installed.  It is a very simple executable and should be executed as is
  3. Once invoked, the screen pasted below appears

image

  1. Depending on the Application\Server’s requirements, one might have to choose different parameters.  Choices includes:
    • Key Type –> SSH-1 RSA
    • Key Type –> SSH-2 RSA
    • Key Type –> SSH-2 DSA

The “Number of bits” matters quite a bit also.  Popular number of bits includes 1024, 2048, etc.  The higher number of bits means that they key will be harder to compromise\guess through brute-force attack.

  1. Once we are happy with the parameters, click on the “Generate” button to proceed with actual Key generation
  2. Note that for the keys to be generated you will have to move the mouse around quite a bit.  The progress & completion of the exercise is demonstrated through a progress bar on the Applications’ window
  3. Once the keys are generated, the “Save public key” and “Save private key” buttons are enabled.  Click on each one to proceed with persisting the keys unto actual files.
  4. If you try to “Save private keys” and have not indicated “passphrases” in the “Key Passphrase” and “Confirm Passphrase” entry fields, you will be asked to confirm that you really want to “Save” your private keys without placing
    “passphrases” as an extra security blankets on them.Reference: Using WinSCP at the command line to automate file transfer(http://www.silverxtreme.org/content/using-winscp-command-line-automate-file-transfer):”While it is good idea to protect the keys using a passphrase, it would hinder complete automation of the process. Hence, for the said situation, it is recommended not to protect the keys using a passphrase”.

Availing Key Pairs

Once we have the public\private key pair, we have to make the public keys available to the server.

Vandyke Software
VShell

In the case of the Vandyke Software’s VShell Application, the public key should be placed in <install directory>\PublicKey\<user>

image

Private Key – Presentation

On the Client, the Private keys will either have to be stored in specific locations, presented during each request, or persisted per the session using tools such as Pageant.  BTW, the Pageant tool is available @ http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

WinScp

For the WinSCP Application, we can specify the “Private Key” through the GUI.

  1. Launch WinSCP
  2. Specify the following information:
    1. Host name: SFTP Server
    2. Port Number: <port number>
    3. User name: <user-name>
    4. Password: <password>
    5. Private Key file: <location where the private key is saved>

Note that if we are using Public\private Key pairs, a password does not have to be indicated for that specific user:

image

Trouble Shooting

Vandyke Software

VShell

The Vandyke Software\VShell Application is very robust and offers various security and validation options.

Logging

Logging is configurable through the “Logging Options” page. To review and adjust current Logging access:

  1. Launch VShell.exe
  2. Using the left menu tree, access the Common\Logging page
  3. Review the settings on the “Event Logging Options” page

image

Connection Filters

Review whether the “Deny Host” option is effective.

  1. Launch VShell.exe
  2. Using the left menu tree, access the “Connection Filters” page
  3. Review the settings on the “Filter Entries” page

image

Deny Host

Review whether the “Deny Host” option is effective.

  1. Launch VShell.exe
  2. Using the left menu tree, access the Common\Deny Host page
  3. Review the settings on the “Enable Deny” page

image

Note that when “Enable Deny Hosts” is effective, the specified “Deny hosts file” is automatically populated with information about clients that repeatedly fail security validations.

Unix Client

Ineffective Directory Permission on Unix Client

If you get error messages that resemble the following:

Permissions 0775 for ‘/home/uploadusr/.ssh/id_usr’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key:
/home/uploadusr/.ssh/id_rsa
mysftpuser@commerce’s password:
Permission denied, please try again.
mysftpuser@commerce’s password:

If you get an error such as this, though it might appear to be needlessly obfuscated, in actuality per Unix\Linux error messages, it is not bane at all.

To correct use “ls” and “su chmod” to review current permissions for the listed folder and set new file permissions.

Reference:

  1. Linux File and Folder Permissions
    http://www.comptechdoc.org/os/linux/usersguide/linux_ugfilesp.html

References

  1. Using WinSCP at the command line to automate file transfer
    http://www.silverxtreme.org/content/using-winscp-command-line-automate-file-transfer

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s