MIT - Academic Computing

Secure File Transfer


Contents

Tranferring files to and from Athena

Regular FTP (File Transfer Protocol) programs send data (including your password) over the network "in the clear" but there are secure alternatives described below.

If you are unable to use the methods below for any reason, your safest alternative is to change your password just before you do the file transfer, and change it back again as soon as possible. This will at least ensure that if your password is intercepted, it will be valid only for a brief period of time. Also see the guidelines on choosing a good password.

Secure file transfer between Athena and UNIX

UNIX users can securely transfer files to and from Athena with kerberized FTP, or the SSH scp command.

Secure file transfer between Athena and a Mac or PC

There are currently no kerberized FTP clients for the PC, but a kerberized version of Fetch for the Mac should be available in the near future.

SSH clients for Mac and PC do exist (see our SSH Overview for some links). They do not all provide scp, but some provide other means for making secure file transfers.

In the absence of kerberized FTP or SSH, Mac and PC users can securely copy files to and from Athena by performing the file transfer through kerberized telnet clients (NCSA telnet on the Mac, HostExplorer on the PC). Step-by-step procedures are given on the following pages from the CWIS group:

If you don't already have kerberized NCSA telnet or HostExplorer installed, see:

Kerberized FTP

As explained above, there are currently no kerberized FTP clients for the PC. A kerberized version of Fetch for the Mac should be available in early October, 1998. In the meantime, you can securely transfer files through your kerberized telnet.

Athena now supports kerberized ftp, but to connect securely from a non-Athena UNIX machine to an Athena dialup or private workstation, it is necessary to take the steps shown in example 1. (This is due to the fact that the existing ftp clients don't encrypt the connection automatically before asking for a password. Note that the Athena 8.2 ftp client has been specially modified to auto-encrypt, so that these steps should not be necessary if you were to ftp from Athena to a remote-access Athena workstation, or to another machine running a kerberized ftp daemon; see example 2.)

example 1: kerberized ftp to Athena

  1. Use a kerberized ftp client. A krb4 version is available from the net-security kerberos installation kits, and a krb5 version is available in the krb5 locker. This example was taken from a krb5 ftp client; the krb4 one works similarly.

  2. Connect to the dialup or other remote-access workstation: 
          ftp ftp.dialup.mit.edu

      Connected to mass-toolpike.mit.edu.
      220 buzzword-bingo FTP server (Version 5.60) ready.
      334 Using authentication type GSSAPI; ADAT must follow
      GSSAPI accepted as authentication type
      GSSAPI error major: Miscellaneous failure
      GSSAPI error minor: Server not found in Kerberos database
      GSSAPI error: initializing context
      GSSAPI authentication succeeded
      Name (ftp.dialup.mit.edu:jqpublic):
    You can safely ignore the GSSAPI errors as long as it says `authentication succeeded' at the end.

  3. Enter your username but do not type your password. Leave the Password entry blank (just press the Return key): 
          331 Password required for jqpublic.
      Password: [leave this blank!]
    It should respond: 
          530 Login incorrect.
      Login failed.
      ftp>
  4. Type `private' to encrypt the connection: 
          ftp> private
      200 Protection level set to Private (Encrypted).
  5. Now type `user' followed by your username to have it prompt you for your password again: 
          ftp> user jqpublic
      331 Password required for jqpublic.
      Password:
    and enter your password, which will now be encrypted. 
          230 User jqpublic logged in.
      ftp>
    You can now continue with the standard ftp commands.

example 2: kerberized ftp from Athena

For comparison, this is how things look from the ftp client on Athena (in this case, to a private Athena workstation). The lines to look for before typing your password are "GSSAPI authentication succeeded" and "Protection level set to Private". 
      athena% ftp private-machine.mit.edu
      Connected to private.machine.MIT.EDU.
      220 private-machine.mit.edu FTP server (Version 5.60) ready.
      334 Using authentication type GSSAPI; ADAT must follow
      GSSAPI accepted as authentication type
      GSSAPI authentication succeeded
      200 Protection level set to Private (Encrypted).
      Name (private-machine.mit.edu:jqpublic):
Note that the "(Encrypted)" in the message above is an Athena customization; if you are connecting to a non-Athena machine it will just say "Protection level set to Private".

SSH (Secure Shell), scp, and FTP

scp is a secure alternative to the regular UNIX rcp command for copying files between hosts (scp uses ssh for authentication and data encryption). You can use it between any UNIX host with SSH installed and an Athena dialup (or private workstation with remote-access enabled). At this writing, SSH clients for Mac and PC do not all provide scp, but may support other means of secure file transfer as demonstrated below.

scp example

To copy from the local machine to Athena: 
      scp localfilename athena.dialup.mit.edu:/path/to/remotefilename
To copy from Athena to the local machine: 
      scp athena.dialup.mit.edu:/path/to/remotefilename localfilename
To specify your Athena username (necessary if your username on the local machine is not the same as your Athena username): 
      scp jqpublic@athena.dialup.mit.edu:/path/to/remotefilename localfilename

using SecureCRT for Windows file transfers

Note: the following assumes you have already installed SecureCRT and set up an ssh profile, as explained in the SecureCRT for Windows95/NT section of the ACS Notes on SSH.

SecureCRT includes support for zmodem file transfer which can be used in conjunction with ssh for secure file transfer. In order to use this feature, you must add the sipb locker: 

      add sipb

By default, SecureCRT will put files into the download directory within the SecureCRT install directory (and try to get files from the upload directory). To change this, go to the Options menu, select Session Preferences and modify the settings listed under the Files tab.

To send a file from Athena to your PC: 

      sz -a filename       for ascii (text) files

      sz -b filename       for binary files

To send a file from your PC to Athena:

securing the FTP channel (port forwarding)

If you have an FTP program which allows you to specify an arbitrary port on the remote host, you can use this method to encrypt what you type in an FTP session; note that it does not encrypt the files being transferred. This is a two-step process:
  1. Set up the port forwarding through ssh.

    For example: 
           ssh -L 1234:ftp.dialup.mit.edu:21 ftp.dialup.mit.edu
    will log you in and forward connections made to port 1234 on your local machine to ftp.dialup (using the standard ftp port 21).

  2. Use your FTP program to connect to the port you've just forwarded on your local machine.

    For example, in WS_FTP for Windows you should set up a Session Profile with:

For general information on securing the FTP channel, see the SSH FAQ section on FTP or man pages.
For help with specific Mac/PC clients, see the F-Secure SSH FAQ or documentation from your SSH provider.
For more information on SSH see:

related ACS notes: Remote Access Overview | Remote Login Guide | SSH Overview
MIT | Academic Computing | Contact us
Last modified: Mon Jun 7 20:28:21 1999