Difference between revisions of "SCP and SFTP"

From ArchWiki
Jump to: navigation, search
m
Line 4: Line 4:
 
= Introduction =
 
= Introduction =
  
SFTP ('Secure File Transfer Protocol') encrypts passwords unlike plain FTP. SFTP is not really a true protocol, its just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.  
+
'''SFTP''' (Secure File Transfer Protocol) encrypts passwords unlike plain FTP. SFTP is not really a true protocol, its just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.  
  
 
This setup in particular (using pure-ftpd + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that that there is reduced performance cost on data transfer.  
 
This setup in particular (using pure-ftpd + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that that there is reduced performance cost on data transfer.  
  
 
= Setting up FTP with pure-ftpd =
 
= Setting up FTP with pure-ftpd =
we will use pure-ftpd:
+
We will use pure-ftpd:
 +
# pacman -Sy pure-ftpd openssh openssl
  
  pacman -Sy pure-ftpd openssh openssl
+
Then you can go ahead and edit the configuration file:
 +
  # vi /etc/pure-ftpd.conf
  
then you can go ahead and edit the configuration file:
+
You can start and stop the pure-ftpd daemon by
 +
# /etc/rc.d/pure-ftpd start
 +
# /etc/rc.d/pure-ftpd stop
 +
# /etc/rc.d/pure-ftpd restart
  
vi /etc/pure-ftpd.conf
+
and you can set it to automatically start by adding it to the modules list in /etc/[[rc.conf]].
 
+
you can start and stop the pure-ftpd daemon by
+
 
+
/etc/rc.d/pure-ftpd start
+
/etc/rc.d/pure-ftpd stop
+
/etc/rc.d/pure-ftpd restart
+
 
+
and you can set it to automatically start by adding it to the modules list in /etc/rc.conf
+
  
 
= Set up Certicificates =
 
= Set up Certicificates =
refer to http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for information. The short version is this :
+
Refer to http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for more information. The short version is this:
  
 
1. Create a Self-Signed Certificate:
 
1. Create a Self-Signed Certificate:
  mkdir -p /etc/ssl/private
+
  # mkdir -p /etc/ssl/private
  openssl req -x509 -nodes -newkey rsa:1024 -keyout \
+
  # openssl req -x509 -nodes -newkey rsa:1024 -keyout \
 
   /etc/ssl/private/pure-ftpd.pem \
 
   /etc/ssl/private/pure-ftpd.pem \
 
   -out /etc/ssl/private/pure-ftpd.pem
 
   -out /etc/ssl/private/pure-ftpd.pem
 
2. Make it private:
 
2. Make it private:
  chmod 600 /etc/ssl/private/*.pem
+
  # chmod 600 /etc/ssl/private/*.pem
 
3. Be aware that using 1024 bits in some countries will get you the legal banhammer. Choose 512 or less if unsure.
 
3. Be aware that using 1024 bits in some countries will get you the legal banhammer. Choose 512 or less if unsure.
  
 
= Enable TLS =
 
= Enable TLS =
 
 
Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
 
Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):
 
 
  TLS            1
 
  TLS            1
  
now restart the pure-ftpd daemon and you should be able to login with sftp-enabled clients (e.g. FileZilla, SmartFTP) (dont forget to use port 22)
+
Now restart the pure-ftpd daemon and you should be able to login with sftp-enabled clients (e.g. FileZilla, SmartFTP). (Dont forget to use port 22.)

Revision as of 14:36, 3 December 2008


Introduction

SFTP (Secure File Transfer Protocol) encrypts passwords unlike plain FTP. SFTP is not really a true protocol, its just SSH + FTP or TLS/SSL + FTP . Note that there are many ways to set this up. This is one of them.

This setup in particular (using pure-ftpd + TLS) encrypts usernames, passwords, commands and server replies, but does NOT encrypt the data channel. This also means that that there is reduced performance cost on data transfer.

Setting up FTP with pure-ftpd

We will use pure-ftpd:

# pacman -Sy pure-ftpd openssh openssl

Then you can go ahead and edit the configuration file:

# vi /etc/pure-ftpd.conf

You can start and stop the pure-ftpd daemon by

# /etc/rc.d/pure-ftpd start
# /etc/rc.d/pure-ftpd stop
# /etc/rc.d/pure-ftpd restart

and you can set it to automatically start by adding it to the modules list in /etc/rc.conf.

Set up Certicificates

Refer to http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for more information. The short version is this:

1. Create a Self-Signed Certificate:

# mkdir -p /etc/ssl/private
# openssl req -x509 -nodes -newkey rsa:1024 -keyout \
 /etc/ssl/private/pure-ftpd.pem \
 -out /etc/ssl/private/pure-ftpd.pem

2. Make it private:

# chmod 600 /etc/ssl/private/*.pem

3. Be aware that using 1024 bits in some countries will get you the legal banhammer. Choose 512 or less if unsure.

Enable TLS

Towards the bottom of /etc/pure-ftpd.conf you should find a section for TLS. Uncomment and change the TLS setting to 1 (which enables both FTP and SFTP):

TLS             1

Now restart the pure-ftpd daemon and you should be able to login with sftp-enabled clients (e.g. FileZilla, SmartFTP). (Dont forget to use port 22.)