Dylan Beattie, July 2002
This document outlines how to use the OpenSSH tools to create a secure file transfer mechanism which can be automated via shell scripts or batch files. One application of this - the thing we're using it for - is to allow our clients to automate the data transfer process from their sales mainframe to our web servers, without any danger of the information contained therein being compromised in transit. In a nutshell; at eight every night, their mainframe spits out a fresh batch of sales figures; at nine every night, this is automatically uploaded to our server via SFTP using RSA authentication, and at midnight, our server picks up the fresh data from the upload directory and imports it into the database. This document describes how we set up the middle stage of this process - installing OpenSSH and configuring it to allow secure, unattended file transfer operations.
These examples are based on a fictional Windows 2000 Server called fortress,
with the fully-qualified internet hostname www.fortress.com. This
machine is not part of a Windows NT domain, but is configured as a stand-alone
server, and we've created a local Windows user account called johndoe.
Command transcripts are shown in monospaced type, with the bits you type shown in bold
These examples are tested and verified for OpenSSH v3.4-1 running on Windows 2000 Server, and have been tested using both the Windows and Linux versions of the OpenSSH client utilities. Other version/platform combinations may or may not work as described here.
I'm by no means a security expert, and I'm not an OpenSSH guru. If you find these notes helpful, great - if you don't, there's plenty of more detailed resources out there which will answer your questions if you take the time to read them properly. Contributions and testimonials are welcome; questions will be read and possibly answered but I'm making no guarantees, and please don't rely on this information for anything important. I don't know whether it's the most secure or most effective way of doing this, but it works and that's good enough for me. If it's not good enough for you, don't use it :)
johndoe has Full Control of the C:\Program Files\NetworkSimplicity\ssh\ directory and all it's sub-directories, otherwise you'll get odd 'Access Denied' messages when you try to upload the public key files later.
Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Program Files\NetworkSimplicity\ssh>mkpasswd -l -u johndoe >> ..\etc\passwd C:\Program Files\NetworkSimplicity\ssh>mkgroup -l >> ..\etc\group
net start opensshd at the command line to start
the serverssh username@host] - here, I connect and then
run the hostname command just to make sure I'm connected to the
right place :) You may be warned that the server's identity cannot be verified
-
C:\Program Files\NetworkSimplicity\ssh>ssh johndoe@www.fortress.com johndoe@www.fortress.com's password: Last login: Thu Jul 11 17:26:43 2002 from myhost.mydomain.com Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. (fortress) C:\Program Files\NetworkSimplicity\ssh>hostname fortress (fortress) C:\Program Files\NetworkSimplicity\ssh>exit Connection to www.fortress.com closed. C:\Program Files\NetworkSimplicity\ssh>This confirms that the server is accessible and correctly configured, and that the client tools are installed correctly on the client workstation.
sshd_config file on the server (ours is in C:\Program Files\NetworkSimplicity\ssh), and check the following lines exist:
Protocol 2,1Protocol 2)
RSAAuthentication Yes RSAAuthentication no)Here we use ssh-keygen.exe to create a 1024-bit RSA key pair. The
private key stays on the client machine and must be kept safe - if this key
is compromised, the security of the system is compromised. The public key is
exported to the server, where it must be appended to the file C:\Program Files\NetworkSimplicity\ssh\.ssh\authorized_keys
(Note that on a newly-installed server, this file may be blank or non-existent.)
The following session transcript demonstrates the entire process, via SSH tools from the client machine.
First, we run ssh-keygen specifying an RSA key type. NOTE: Supply an EMPTY passphrase, otherwise you'll be asked to type the passphrase whenever you use the key - which is not really what we want.
C:\Program Files\NetworkSimplicity\ssh>ssh-keygen.exe -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/bin/.ssh/id_rsa): johndoe.key johndoe.key already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in johndoe.key. Your public key has been saved in johndoe.key.pub. The key fingerprint is: ec:30:03:39:06:96:9f:a7:15:ed:4a:2e:de:64:bc:14 Dylan Beattie@DYLAN_PC
This has created two files - a file called johndoe.key containing
your private key, and a file called johndoe.key.pub containing
the public key.
The private key needs to be moved into the c:\Program Files\networksimplicity\ssh\.ssh:
C:\Program Files\NetworkSimplicity\ssh>move johndoe.key .ssh
The public key must first be copied to the corresponding .ssh
directory on the server (done here using SFTP):
C:\Program Files\NetworkSimplicity\ssh>sftp johndoe@www.fortress.com Connecting to www.fortress.com... johndoe@www.fortress.com's password: sftp> cd .ssh sftp> put johndoe.key.pub Uploading johndoe.key.pub to /bin/.ssh/johndoe.key.pub sftp> exit
...and then we connect via SSH and append the contents of the fortress.pub file to the authorized_keys file in the .ssh directory.
C:\Program Files\NetworkSimplicity\ssh>ssh johndoe@www.fortress.com
johndoe@www.fortress.com's password:
Last login: Thu Jul 11 17:27:55 2002 from myhost.mydomain.com
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
(fortress) C:\Program Files\NetworkSimplicity\ssh>cd .ssh
(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>dir
Volume in drive C is SYSTEM
Volume Serial Number is 403A-24CD
Directory of C:\Program Files\NetworkSimplicity\ssh\.ssh
07/11/2002 05:40p >DIR< .
07/11/2002 05:40p >DIR< ..
07/11/2002 04:56p 232 authorized_keys
07/11/2002 05:40p 23 environment
07/11/2002 05:40p 232 johndoe.key.pub
07/11/2002 04:56p 232 test.pub
03/27/2002 03:25p 58 rc
5 File(s) 777 bytes
2 Dir(s) 1,376,125,952 bytes free
(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>type johndoe.key.pub >> authorized_keys
(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>exit
Connection to www.fortress.com closed.
C:\Program Files\NetworkSimplicity\ssh>
That's it. We're now ready to test our RSA authentication.
We can now connect by specifying the filename of our private key on the command line, rather than supplying a password as part of the connection process. This means that anyone who has your private key can assume your identity and compromise your server. So be careful with it.
To establish an SSH connection using RSA authentication, specify the location of the private key file with the -i option.
C:\Program Files\NetworkSimplicity\ssh>ssh -i .ssh\johndoe.key johndoe@www.fortress.com Last login: Thu Jul 11 17:40:15 2002 from myhost.mydomain.com Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp.
(fortress) C:\Program Files\NetworkSimplicity\ssh>exit Connection to www.fortress.com closed.
C:\Program Files\NetworkSimplicity\ssh>
To establish a Secure FTP connection (SFTP) using RSA authentication, use the -oIdentityFile option:
C:\Program Files\NetworkSimplicity\ssh>sftp -oIdentityFile=.ssh\johndoe.key johndoe@www.fortress.com Connecting to www.fortress.com... sftp>
And there you have it - a secure FTP connection created without specifying a password.
Using the -b switch, sftp can run a sequence of commands
from a batch file rather than as an interactive session. Here, we're going to
write a batch script that will connect, upload a set of files from C:\EXPORT\
on the local machine (our workstation) to W:\ftproot\upload\ on
our server. This also demonstrates something called CygDrive notation
- Cygnus' (and OpenSSH's) way of accessing Windows drive letters in a Unix-style
environment.
First, create the file c:\export\nightly_upload.ftp (or whatever
you want to call it) - which should look something like:
put /cygdrive/c/export/prices.csv /cygdrive/w/ftproot/upload/prices.csv put /cygdrive/c/export/offers.csv /cygdrive/w/ftproot/upload/offers.csv put /cygdrive/c/export/accounts.csv /cygdrive/w/ftproot/upload/accounts.csv
Note how we're using /cygdrive/c/ to denote drive C:\ on
the local machine, and /cygdrive/w/ to denote drive W:\ on
the remote machine.
Then create the Windows batch file that will call SFTP with the appropriate
arguments - note the PROGRA~1 shorthand for Program Files
to get around potential problems with pathnames containing spaces. The contents
of upload.bat look like this - and should be all on one line:
c:\progra~1\networksimplicity\ssh\sftp.exe -oIdentityFile=c:\progra~1\networksimplicity\ssh\.ssh\johndoe.key -b c:\export\nightly_upload.ftp johndoe@www.fortress.com
Note that we're using fully-qualified path names throughout - advanced users, feel free to use the 'Start in Folder...' feature of the Task Scheduler or other means to make this look a bit more elegant, but this syntax is most reliable.
Finally, use the Windows Task Scheduler to run upload.bat at 21:00
every night (or whenever), and you're in business.
OpenSSH for Windows: http://www.networksimplicity.com/openssh/
Documentation copyright © Dylan Beattie 2002 except where indicated.
Permission is granted to copy, distribute and/or modify this documentation under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts.