Web Guide is no longer being maintained and the information on this page may be out of date. For assistance with managing course materials, please visit MIT's Stellar course management system.

Transferring Files to a Web Site
The term "file transfer" refers to the process of copying files between
your own computer (or disk) and another computer (or file server). For
example, a Web author may create pages on a Mac or PC and then transfer
or "upload" them to the Athena locker which houses the Web site.
File transfers are often referred to in terms of "uploading" (from
your "local" system to another "remote" system) or "downloading"
(the reverse process, copying files from remote to local).
If you are not familiar with this process or are new to Web publishing
in the MIT environment, the diagrams in the Overview section may help.
If you are not familiar with the structure of a typical course locker or
the correspondence between URLs and Athena (AFS) directory paths, see
the section on Using an Athena Course Locker for Your Web Site.
(Each of these links should open in a separate browser window so you can
continue reading this page; if they don't, use your browser's Back
button to return here).
On this page:
Before you begin, you should be aware that many common methods of file
transfer are insecure (i.e., they send your password over the network in
the clear, without any protection). To avoid compromising
your account, machines you access remotely, and MITnet as a whole, you
should be sure that you understand the section below on security considerations.
Fall 2002 update:
Plop and WS-FTP for Windows and Fetch version 3.0.4b6sec for Mac are slated for de-support on December 31, 2002. Instead, IS recommends FileZilla for Windows and Fetch 4.0.2 for Mac. The information on this page
covers other various options currently available and may seem overly
complicated; please don't hesitate to contact us if you're confused or see the Secure File Transfer at MIT page for more information.
Some applications allow you to save some of this information so that
you won't have to retype it for each file transfer session. (For
example, you may be able to create a configuration containing your name
and the path to your locker's Web directory.)
- host, hostname, or server name
- Name of the machine to
which you are connecting. For Athena:
ftp.dialup.mit.edu
- path or remote directory
- Path to the directory which
you want to access; for an Athena course locker, you need the
full AFS path. For example, to upload to the 29.123 www
directory, you would use:
/afs/athena.mit.edu/course/29/29.123/www
- username
- Your Athena username (aka Kerberos principal or
MITnet ID). If you do not have an account yet, see How to Register for an
Athena Account or contact Athena User Accounts at x3-1325.
- password
- Before you type your
password, see the information on
secure file transfer methods.
- file type or transfer type
- This tells the program whether to transfer the file in
text or binary mode; the wrong transfer type will cause the file to
be corrupted. Some programs may try to
autodetect file type, but it's usually best to set it explicitly. Use
text or ascii for plain text (including HTML),
PostScript, and PDF files. Use binary or raw
for all other types (including images).
- File transfer features within an HTML editor or other
Web-preparation software (usually labelled something like
"upload/download" "publish" or "site maintenance") are not
secure (however see the information on Secure FTP Using Dreamweaver for Windows), so you should either use another method or follow these
precautions:
- FileZilla is the FTP program that
MIT recommends for its Windows users. It supports Kerberos and can be
used to: securely connect to kerberized FTP servers, upload files to
-- and download files from FTP servers, remotely rename, move, delete,
and change the permissions of files on these servers. However, FileZilla
can not be used to: securely connect to an FTP server that is not
kerberized or SSL-enabled, establish a terminal emulation session with
a mainframe computer or connect from home to your computer on campus.
- SSH programs provide a secure connection which can be used for
file transfer in various ways:
- SecureFX is a SFTP program that MIT recommends for its Windows users, but is not supported by IS yet. It uses SSH2 for an authentication protocol.
- SecureCRT is an SSH client for Windows available to the MIT community. It includes zmodem support
which can used as in this example: using SecureCRT for file transfers
- An SSH program can be used to set up a secure connection
for any FTP client which supports port forwarding,
including a graphical program such as WS-FTP. See this
example: setting up port forwarding to secure the FTP channel
- Traditional SSH includes an scp command for direct
file transfer from the command line (scp may not be
available in all Windows versions of SSH).
For more information, see the ACS Notes on
SSH.
- HostExplorer can be used
for file transfers via kermit commands as explained in the
instructions for secure file transfer on the PC. If you
don't already have HostExplorer installed, see HostExplorer at MIT.
As noted above, the two following utilities are slated for de-support on December 31, 2002 but are listed here for user's convenience.
- Plop is an
MIT-developed drag-and-drop utility for securely
uploading files to Athena from Windows NT or 2000. It is not
a full-featured file-transfer program, but rather was
designed as a basic kerberized upload-only tool for users who
maintain relatively small web sites.
- WS_FTP is a graphical FTP program. It is not secure as is, but can be used securely in
combination with SecureCRT ; see
WS_FTP with SecureCRT for instructions.
- File transfer features within an HTML editor or other
Web-preparation software (usually labelled something like
"upload/download" "publish" or "site maintenance") are not
secure (however see the information on Secure FTP Using Dreamweaver MX for Mac OS X). Instead, you should use Fetch 4.0.2.
- Fetch
is a secure, graphical FTP program supported by the Computing Help Desk.
Note that the initial release is "Fetch 3.0.4b6 Secure", which will be de-supported on December 31, 2002. Upgrade to version 4.0.2 if you haven't already done so. Older
versions of Fetch (e.g. prior to 3.0.4b6) are not kerberized and
therefore are not secure.
- Mac OS X users also have the option of using Unix methods (see below) to transfer files by invoking the "terminal" application.
File transfer programs generally allow you to do two basic tasks on a
remote system: add a new file, or replace a file already there with one
of the same name. When uploading a file, you should exercise some
caution, as many programs will not warn you before overwriting an
existing file of the same name. For example, if you want to replace the
file /mit/29.123/www/exams/index.html but try to upload the new
index.html to the directory /mit/29.123/www (instead of to
/mit/29.123/www/exams), you'd end up overwriting the top-level page
/mit/29.123/www/index.html.
Some programs allow you to do other types of file management (such
as removing, renaming, or moving files, or manipulating directories),
but there are cases in which you may need direct access to the remote
system. For example, if your site is housed in an Athena locker and you
want to check the quota (how much disk space you have) and delete some
files in order to make room for more, you would log in to Athena and use
Athena commands to accomplish these tasks. In general, Web file
management on Athena lockers is a two-step process:
- Use an Athena workstation, or
login to
Athena remotely with a
program such as SSH (SecureCRT
for Windows) or kerberized telnet (HostExplorer
for Windows, BetterTelnet (formerly NCSA Telnet) for Mac).
- Use Athena
commands for web publishing.
There are several different ways of transferring files; an important
distinction is whether or not each method is secure. Regular FTP
programs and file transfer features within Web-publishing applications
send your password over the network in the clear, which poses a serious
security risk. (This is the same basic problem as with insecure telnet
but on a larger scale: your password may be exposed not only when you
first connect but again with each file transferred during that session.)
Among the security breaches which have been posed from within and
outside MIT are snoopers who use "packet sniffing" tools, which are
widely available and impossible to detect. These tools let snoopers
capture cleartext userids, passwords, and other data transmitted across
a network, which they can then use to gain access to individual accounts
and the network as a whole. Incidents of this kind are not at all rare,
and it is up to all of us do our part in preventing them by protecting
our MITnet passwords.
The table below summarizes security levels of different methods, and
available alternatives. For more information, see the ACS
Notes on Secure File Transfer and IS page on Secure File Transfer at MIT.
Fall 2002 update:
Starting very soon, MIT will no longer allow insecure connections to the dialup servers.
Method |
Secure? |
Safer alternative? |
Standard FTP (e.g. WS_FTP on Windows, old Fetch**** on a Mac, or Unix ftp)
|
no |
Kerberized FTP if available, or change password for FTP session*
(don't use program's "save my password" option**) |
File transfer features within an HTML editor or other
Web-preparation software (usually labelled something like
"upload/download" "publish" or "site maintenance") |
no |
change password for duration of file transfer*
don't use program's "save my password" option** |
Reverse ftp (through Kerberized Telnet for Mac) |
semi*** |
change password for duration of ftp session* |
kermit with Kerberized HostExplorer for Windows |
yes |
|
Kerberized FTP (e.g. FileZilla for Windows, Fetch for Mac)
|
yes |
|
File transfer features in SSH (Secure Shell) |
yes |
|
FTP through an encrypted SSH channel |
yes |
|
* If you must use an insecure file transfer method, there is one thing
you can do to reduce the risk of a security compromise: change your
password after the file transfer. (That way, if anyone does intercept
your session, the password they get will only be valid until you
complete the session and change it.) If you want to keep your original
password, you can change your password before starting the file
transfer, and then change it back again to the original once you're
done.
** Some programs include an option to save or "remember your password;
you should not use this -- especially for your Athena password -- as it
would allow someone else to sit down at your machine and use your
identity to copy files or make other changes.
*** This is called "reverse FTP" because you are setting up an FTP
server
on your Mac and connecting to that from your (secure) telnet client,
rather than connecting to an Athena FTP server with an FTP client
program like Fetch. It is reasonably secure as long as you:
- require a username and password (otherwise,
anyone can
make an FTP connection to your Mac)
- use a password different from your
Athena password
- turn off the FTP
server when not in
use
**** prior to 3.0.4b6