ftp security

system · March 6, 2002, 4:40pm

I have written a number of ftp scripts to put/get files between unix and other systems. My scripts only ftp to servers inside of our firewall. However, I have heard of risks involved with using the typical ftp automation techniques if one goes into unsecure areas with thier ftp processes.

Typical to me:

ftp -i -v -n [hostname] <<EOF
user USERNAME PASSWORD
hash
cd [to_dir]
lcd [from_dir]
put FILENAME
close
bye
EOF

The main risk I have heard of is that the username and password are passed in plain text. Are there any ways to get around this on the shell scripting level? Or, do other options need to be considered?

Let me know if more details are needed...

auswipe · March 7, 2002, 12:18am

Another way to get a secure FTP is to use SSH and use programs like PSFTP (on Win32 clients) or sftp (on Unix clients) to transfer files via SecureShell without having the security problems related to clear text passwords sent via ftp.

I have used psftp from work to send files to my boxes at the house and it works very well, but is slower than traditional ftp.

You can also use scp (secure copy) on a file by file basis to transfer files from one system to another.

system · March 15, 2002, 6:48pm

Thanks for the input. I also came across some info on using a .netrc file, so I will check into that also.

system · March 15, 2002, 7:16pm

Using .netrc or anonymous ftp are not secure. The password of an account is either vulnerable in the .netrc file, in the transmission, or in the script file.

You would be better off using one of the programs auswipe wrote about. If you are worried about security.

inpavan · March 19, 2002, 7:53am

I have a similar problem.

I have to tansfer 6 files from one unix box 'a' to another 'b'. I tried 'rcp' but file system on b does not allow the files to be rcp'ed from a.

My system admin has refused to use .netrc (due to security issues).

Could not transfer files using sftp.

Any other techniques available to transfer files from one box to another.

I am (trying to) transferring files from HP to Sun Solaris.

SunOS 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-Enterprise

HP-UX B.10.20 B 9000/891 350319241

system · March 19, 2002, 9:31am

Have you tried both ways? Attempting to transfer files by logging into HP and sftp to SUN and logging into SUN and sftp to HP? On one side you would do a put, on the other side you would do a get. Or do you have secure copy (scp part of ssh). Or can you share a drive between the systems (NFS). Or is the home directory a shared drive (will mount on both systems - put the file in /home and it will be there)

FYI - If the system administrator will not allow .netrc (I don't blame him/her) then make the system administrator find a fix. If you have a valid need to transfer files, then you bring that need to the Sys Admin and they need to come up with a way to meet the business need and keep systems secure.

system · March 19, 2002, 9:44am

I personally think that all mounts are big security gaps on systems.

I think you should try scp from any ssh dist.

Maybe your rcp doesn't work because the .rhosts doesn't exist. This is also a security gap. I would really recommend using SSH..

Jason

inpavan · March 20, 2002, 12:50am

Where (directory) can I find 'scp'? I typed in 'scp' on command prompt and it says 'ksh:scp not found'.

sftp....gave error...'connection refused'..

system · March 20, 2002, 4:24am

In order to use scp, you need to install SSH. Otherwise, scp is in the bin direcory of your SSH install.

Try this:
Openssh