Title: sftp configuration V 2 Last changed by




Дата канвертавання26.04.2016
Памер46.93 Kb.

Title: SFTP Configuration v 1.2




Last changed by:
Documentation Team


Date:
27/04/04

e-mail: bsplink.support@adpclearing.com






BSPlink SFTP Configuration

version 1.2







Index


1. Introduction 3

2. SSH Server Technical Description 3

3. Unix System Installation 4

3.1 SSH Opensource Installation Process 4

3.2 Use of SFTP to connect 5

4. Window System Installation and Configuration 6

4.1 Secure FX Installation 6

4.2 Client Windows Use 6

5. Revision Chart 11


1. Introduction

The SSH Server manual will guide the user through the configuration of secure FTP and the connection to the sever, in order to access BSPlink secure FTP services.


Before trying to set up the secure FTP, the user should create an FTP account by means of the BSPlink Secure FTP Account option. A login and a password will be required for this purpose: the login will be automatically provided by the system, while the password will have to be entered by the user. Once the account has been created, it will be updated in the server (in approximately 24 hours). The account will then be active and the user will be able to proceed as indicated in this manual.
Furthermore, it is very important that whenever a proxy or a firewall is used to connect to the internet, SFTP traffic through port 22 should be previously allowed in such devices, otherwise the connection to BSPlink communications server will not be possible.
The manual includes a technical description of the SSH server and the installation procedures both for Unix and Windows systems.


2. SSH Server Technical Description

Important data about FTP can be found below:




  • Manufacturer: VanDyke Software.

  • Product: Vshell SSH2 (Compatible with SSH1)

  • Version: 1.2.2

  • Encryption Software Manufacturer: RSA Security Inc.

Characteristics at functional level in our server are the following:




  1. Cipher: Coded algorithm used to encrypt data. Our server works with the following algorithms:
    Twofish, Blowfish, AES-128, AES-192, AES-256, 3DES and RC4, and even the possibility of non-coded data (although it is currently deactivated in our server)



  2. MAC: Digital signature of all the packets that are sent or received in the transmission of files. Therefore, with this method, packets are not lost, and even more important, no undesirable packet is wrongly sent in the transmission. The different digital signature types currently available are the following:
    MD5, MD5-96, SHA1 and SHA1-96, even the possibility of non-signed files (although it is currently deactivated in our server).



  3. Compression: All packets are compressed, before being sent, in order to minimise the traffic. The accepted levels are from 1 to 9. Now it is in 5.



  4. Authentication: It is formed by two different methods:



    1. Password: This system adds the password used in Windows 2000.



    2. Public Key: It consists of generating a public key (either of file type or of X.509 Certificate) in the client. Then, this public key will be sent to the server to be later authorised.

At this moment, the server is configured with the Password or Public/Private Key (only IETF format) method.


SSH clients should be SSH2, and not SSH1, as this might be obsolete. Some of the recommended client applications are:


  • Secure FX

  • Linux Ftps


3. Unix System Installation

3.1 SSH Opensource Installation Process


There are several steps that should be followed in order to install the SSH Opensource.



  1. The product for the correct platform should be downloaded from www.openssh.com. The version should be superior to 2.4.0 in order to stand SSH1 and SSH2. It is recommended to install the version ssh-3.5.1.

  2. Once the product has been downloaded, we enter as root and execute the following:

#gunzip ssh-x.x.x.tar.gz

#tar –xvf ssh-x.x.x.tar

The result is a folder named: “ssh-x.x.x”





  1. We enter the folder and execute the following:


#cd ssh-x.x.x


  1. Once the above has been executed, you must run the script configuration, it is called “configure” and has the following parameters:

prefix = PREFIX: it is where the ‘binary’ elements are installed. (default / user/ local)

with-etcdir: It is the path where the system information can be obtained. (Default /etc)

with-libwrap = [PATH]: It uses libwrap (tcp_wrappers) and inetd.

with-socks4 = [PATH]: It includes support for SOCKS4 (Firewall Crossing).

with-socks5 = [PATH]: It includes support to SOCKS5 (Firewall Crossing).

enable-warnigs: It enables the generation of errors in the compiler gcc.
This step configures the ssh environment and adapts it to our requirements.


  1. Next step is to compile the binary elements. This is done by using GCC compiler. Therefore, the following sentence should be executed:


#make

#make install
Once this step has been carried out, the system is configured as follows:

/etc  ssh_host_key and sshd_config files

/usr/local/bin  ssh and scp client application

/usr/local/sbin  sshd daemon




  1. The service should be included in the /etc/inetd.conf file. To run it up, the following sentence has to be included:




  • With TCP Wrappers:


ssh tcp root nowait /usr/local/sbin/sshd /usr/local/sbin/sshd –i


  • Without TCP Wrappers:


ssh tcp root nowait /usr/local/etc/tcpd /usr/local/sbin/sshd –i



  1. Edit the file /etc/services and include the following:


ssh 22/tcp Secure Shell

ssh 22/upd Secure Shell



  1. Depending on the inetd version, it is possible that the service may reboot the system.

Once all these steps have been carried out, the packet ssh installation has been completed. This includes both, server application and client application.



3.2 Use of SFTP to connect


We are going to analyse two different systems, as an example to know how to use Secure FTP to connect. The two systems that are analysed are the following: Password and Public/Private Key systems.


  • Password System: #sftp %username%@ftp.adpclearing.com

The first time the connection is made, the ‘Finger Print’ file should be pressed and, when required, press ‘YES’. Then, the password should be entered.
Note: Remember that BSPlink secure FTP password expire 3 months later than its last modification. After its expiration you should reactivate it by using the form in BSPlink again.


  • Public/Private key System:
    This system consists of a Private and a Public keys. These keys are generated in the client’s device and then, the Public key should be expressly sent to BSPlink. The way to generate the keys is as follows:




  • #ssh-keygen –d ( –d generates the DSA key type)

  • Two files are generated in the ~/.ssh/. directory:
    id_dsa.pub  Public Key
    id_dsa  Private Key. (The client maintains this key).




  • Our Public key is formed with the OpenSource format. However, our server only works with IETF; therefore, the key should be changed:

    # ssh-keygen -e -f id_dsa.pub > file.out




  • The Public key is personally sent to Bsplink.

  • Once the confirmation from BSPlink has been received, the user should connect to the server: #sftp %username%@ftp.adpclearing.com

The first time the user connects to the server, he should accept the ‘Finger Print’ file and press ‘yes’, when required. Therefore, the system will not ask for a password.


Note: Although the account will expire after three months, the public key will be kept in the server. This means that it will not be necessary to send again the public key to BSPlink once the account is reactivated.

4. Window System Installation and Configuration

Here it is important to note that the following is just an example and other sFTP clients might be used.


4.1 Secure FX Installation

These two steps should be followed in order to install the Secure FX:




  1. The Secure FX software should be downloaded from the web: http://www.vandyke.com. The version should not be inferior to 2.0.1. Last version is recommended.

  2. Install the software, in the profile of the user that uses such application.



4.2 Client Windows Use

We are going to explain, separately, the Password and Public/Private key systems:




  • Password System: A user’s session is to be created. For instance, these are the steps to be followed with Secure FX secure FTP client:




  1. Go to ‘File  Connect..’ option in the main menu.

In the tool bar, click the second icon on the left, and select the following options:


Protocol: SFTP

Host Address: ftp.adpclearing.com

Port: 22

Username: It is the login provided by the Secure FTP Account option in BSPlink application.

Password: ***********

Initial download folder: This field should be left blank. The system will automatically connect to the user’s folder. NOTE that if the path is indicated, the connection will not be possible, and an error message will be displayed.




  1. Now, execute the session, by double clicking on the name.


Note: Remember that BSPlink secure FTP password expire 3 months later than its last modification. After its expiration you should reactivate it by using the form in BSPlink again.


  • Public/Private key System:




  1. Start the application and go to ‘Options  Global Configuration’ in the main menu.

  2. Select the SSH2 option and press ‘Create Identity File’





  1. The Public/Private key are to be generated. Follow the steps below:

    Key type DSA


    Passphrase Null
    Comment  Left as it is shown by default.
    Key length  1024
    Private Key filename  Left as it is shown by default.
    Public Key filename  The user should write down this path, as it would be the place where the Public key will be saved, and then, be expressly sent to BSPlink.



  2. A user’s session is to be created. These are the steps to be followed:




  • Go to ‘File  Connect..’ option in the main menu.





  • In the tool bar, click the second icon on the left, and select the following options:

Protocol: SFTP

Host Address: ftp.adpclearing.com

Port: 22

Username: It is the login provided by the Secure FTP Account option in BSPlink application.

Password: ***********

Initial download folder: This field should be left blank. The system will automatically connect to the user’s folder. NOTE that if the path is indicated, the connection will not be possible, and an error message will be displayed.




  1. O
    nce the session has been created, with the right button of the mouse on the session, select ‘Properties’ option.

Go to ‘Authentication  Primary’, and select ‘Public Key’. Then, press ‘Properties’ in order to check that the ‘Use global identity file’ option is selected.

The path where the identity file has been previously saved will be shown in the use identity file box.





  1. Before using the connection, the user should have received the BSPlink confirmation that the corresponding public key was received accurately. Then, double click to connect with the created session.


Note: Although the account will expire after three months, the public key will be kept in the server. This means that it will not be necessary to send again the public key to BSPlink once the account is reactivated.

5. Revision Chart





Revision Nº

Issue date

Changes

1.1

28/04/03










4.2 Client Windows Use: change in Initial Download Folder explanation in Password System and Public/Private Key System.

1.2

27/04/04










Document updated with standard format.







Web value logo included in first page.







Notes included in sections: 3.2 and at the end of 4.2.







База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка