Secure File Transfer

Secure methods for transferring files to and from Athena
- between Athena and other UNIX systems
- between Athena and a Mac or PC
Kerberized FTP
SSH (Secure Shell), scp, and FTP

Tranferring files to and from Athena

Regular FTP (File Transfer Protocol) programs send data (including your password) over the network "in the clear" but there are secure alternatives described below.

If you are unable to use the methods below for any reason, your safest alternative is to change your password just before you do the file transfer, and change it back again as soon as possible. This will at least ensure that if your password is intercepted, it will be valid only for a brief period of time. Also see the guidelines on choosing a good password.

Secure file transfer between Athena and UNIX

UNIX users can securely transfer files to and from Athena with kerberized FTP, or the SSH scp command.

Secure file transfer between Athena and a Mac or PC

Mac: To transfer files securely on a Mac, use Kerberized Fetch (the initial release is "Fetch 3.0.4b6 Secure"; older versions of Fetch are not kerberized and therefore are insecure).

PC: To upload files securely from Windows NT or 2000, the Computing Help Desk supports Plop, a kerberized drag-and-drop. It is not a full-featured file-transfer program, but rather was designed to provide simple shortcuts for users who repeatedly upload to the same location, e.g. for maintaining relatively small web sites. IS is investigating options to support a more complete solution for Windows users; watch the Plop Release Notebook and Kerberized FTP at MIT page for updates.

If Plop does not meet your needs, there are other secure alternatives:
Kerberized HostExplorer can be used for secure file transfers as explained on the CWIS page Secure file transfer on the PC. This method is supported by the Computing Help Desk.
WS_FTP can be used with SSH port forwarding as in the examples using SecureCRT below; SecureCRT also includes a built-in transfer feature (using zmodem) which can be used for secure transfers through ssh as shown in the examples. Note that WS_FTP is supported by the Computing Help Desk but at this writing SecureCRT is not.
The Cygwin collection of Unix utilities for Windows provides command-line ssh and scp.
WinSCP is a graphical scp client for Windows.
More generally, other SSH clients (see our SSH Overview for some links) do not all provide scp, but some provide other means for making secure file transfers.

Kerberized FTP

Mac and PC: A kerberized version of Fetch is available for the Mac. For Windows NT or 2000, there is now the kerberized, upload-only utility called Plop, but no kerberized full-featured FTP client (see above for other options).

Unix: As of release 8.2, Athena supports kerberized ftp, but to connect securely from a non-Athena UNIX machine to an Athena dialup or private workstation, it is necessary to take the steps shown in example 1. (This is due to the fact that the existing ftp clients don't encrypt the connection automatically before asking for a password. Note that the Athena ftp client was specially modified to auto-encrypt, so that these steps should not be necessary if you were to ftp from Athena to a remote-access Athena workstation, or to another machine running a kerberized ftp daemon; see example 2.)

example 1: kerberized ftp to Athena

Use a kerberized ftp client. A krb4 version is available from the net-security kerberos installation kits, and a krb5 version is available in the krb5 locker. This example was taken from a krb5 ftp client; the krb4 one works similarly.

Connect to the dialup or other remote-access workstation:

      ftp ftp.dialup.mit.edu

      Connected to mass-toolpike.mit.edu.
      220 buzzword-bingo FTP server (Version 5.60) ready.
      334 Using authentication type GSSAPI; ADAT must follow
      GSSAPI accepted as authentication type
      GSSAPI error major: Miscellaneous failure
      GSSAPI error minor: Server not found in Kerberos database
      GSSAPI error: initializing context
      GSSAPI authentication succeeded
      Name (ftp.dialup.mit.edu:jqpublic):

You can safely ignore the GSSAPI errors as long as it says `authentication succeeded' at the end.

Enter your username but do not type your password. Leave the Password entry blank (just press the Return key):

      331 Password required for jqpublic.
      Password: [leave this blank!]

It should respond:

      530 Login incorrect.
      Login failed.
      ftp>

Type `private' to encrypt the connection:

      ftp> private
      200 Protection level set to Private (Encrypted).

Now type `user' followed by your username to have it prompt you for your password again:
```
      ftp> user jqpublic
      331 Password required for jqpublic.
      Password: 
```
and enter your password, which will now be encrypted.
```
      230 User jqpublic logged in.
      ftp>
```
You can now continue with the standard ftp commands.

example 2: kerberized ftp from Athena

For comparison, this is how things look from the ftp client on Athena (in this case, to a private Athena workstation). The lines to look for before typing your password are "GSSAPI authentication succeeded" and "Protection level set to Private".

      athena% ftp private-machine.mit.edu
      Connected to private.machine.MIT.EDU.
      220 private-machine.mit.edu FTP server (Version 5.60) ready.
      334 Using authentication type GSSAPI; ADAT must follow
      GSSAPI accepted as authentication type
      GSSAPI authentication succeeded
      200 Protection level set to Private (Encrypted).
      Name (private-machine.mit.edu:jqpublic):

Note that the "(Encrypted)" in the message above is an Athena customization; if you are connecting to a non-Athena machine it will just say "Protection level set to Private".

SSH (Secure Shell), scp, and FTP

scp is a secure alternative to the regular UNIX rcp command for copying files between hosts (scp uses ssh for authentication and data encryption). You can use it between any UNIX host with SSH installed and an Athena dialup (or private workstation with remote-access enabled). At this writing, SSH clients for Mac and PC do not all provide scp, but may support other means of secure file transfer as demonstrated below.

scp example

To copy from the local machine to Athena:

      scp localfilename athena.dialup.mit.edu:/path/to/remotefilename

To copy from Athena to the local machine:

      scp athena.dialup.mit.edu:/path/to/remotefilename localfilename

To specify your Athena username (necessary if your username on the local machine is not the same as your Athena username):

      scp jqpublic@athena.dialup.mit.edu:/path/to/remotefilename localfilename

Troubleshooting:

at this writing ssh2 clients will not work on Athena, due to compatibility and licensing issues; see the SSH Overview for further information and alternatives
scp may choke on output from dotfiles; if you get error messages from scp that you don't see from ssh, try replacing commands in your ~/.environment, ~/.cshrc.mine, etc. with less verbose versions, for example use attach -q lockername rather than attach lockername, or use ssh to transfer files directly, e.g.

      cat local_file | ssh host "cat - >remote_file"

securing the FTP channel (port forwarding)

If you have an FTP program which allows you to specify an arbitrary port on the remote host, you can use this method to encrypt what you type in an FTP session; note that it does not encrypt the files being transferred. This is a two-step process:

Set up the port forwarding through ssh; note that this will remain in effect only while the ssh session is active.

For example:
```
       ssh -L 1234:ftp.dialup.mit.edu:21 ftp.dialup.mit.edu
```
will log you in and forward connections made to port 1234 on your local machine to ftp.dialup (using the standard ftp port 21).
Use your FTP program to connect to the port you've just forwarded on your local machine.

For example, in WS_FTP for Windows you should set up a Session Profile with:
- Host Name: localhost
- Advanced Profile Parameters (from the Session Profile screen, hit the Advanced button)
  - Remote Port: 1234
  - Passive transfers (use checkbox to make this active)

using SecureCRT for Windows file transfers

This section illustrates two methods which can be used:

A program such as WS_FTP can be channelled through SecureCRT (WS_FTP is a graphical FTP program for Windows which is supported by the Computing HelpDesk; the LE version is free.) The same method will work with any FTP program that allows you to specify the remote port number.
SecureCRT includes a graphical interface for uploads via zmodem (for downloads, commands must be typed at the command line).

The following assumes you have already installed the required application(s); for download and installation instructions, follow the links above.

WS_FTP with SecureCRT

WS_FTP with SecureCRT	This method sends the commands from WS_FTP through SecureCRT's ssh channel, which encrypts what you type in the FTP session (most importantly, your password). Note that it does not encrypt the files being transferred Setup: Create a Session Profile in each program to save the necessary settings (this only needs to be done once). SecureCRT Settings From the Connect window, right click on Sessions and choose New Session, or click on the 3rd icon. (If the Connect window did not open automaticaly when you launched SecureCRT, go to the File menu and select Connect.) In the Session Options window choose Connection from the 'Category:' list and set: Name:`BeforeFTP` (or your own descriptive label) Protocol: `ssh1` Hostname: `ftp.dialup.mit.edu` Choose Port Forwarding, from the 'Category:' list, and select Add. In the window that appears, set: Name: `forwardedConn` (or your own descriptive label) Port: `1234` check 'Destination host is different from the SSH server' Hostname: `ftp.dialup.mit.edu` Port: `21` Save, and OK both dialog boxes. WS_FTP Settings In the Session Properties window, hit the New button and set: Profile Name: `ViaSecureCRT` (or your own descriptive label) Host Name:`localhost` Under Advanced, set: Remote Port: `1234` Passive transfers (use checkbox to make this active) Hit Apply. (Note that if you hit OK at this point it will try to connect, and will give you an error if you haven't already connected with the SecureCRT Profile above.) Transferring files: In SecureCRT, connect to BeforeFTP (or the Session you saved above). It it is safe to type your password since ssh encrypts it, but you should not use the "Remember my password" box. Note that you must keep this connection open until you are finished with step 2. In WS_FTP, connect to ViaSecureCRT (or the Session you saved above); it is now safe to type your password as it will be sent through the encrypted ssh channel, but you should not use the "Save Pwd" box. When you are done, first close the WS_FTP connection, then logout from the SecureCRT session. Note to private Athena workstation owners: this method can be used with `ftp.dialup.mit.edu` (or any of the other dialups), but will not work with a private Athena workstation with the mkserv remote require-encryption setting (although the password you type is encrypted through ssh, the restriction for FTP actually requires Kerberos). We strongly encourage private workstation owners to use the mkserv remote require-encryption setting (i.e., answer yes to the question "Do you wish to require encrypted passwords on remote connections?"); if you need to transfer files to/from the local disk, it's better to use an scp client or the SecureCRT method below.

This method sends the commands from WS_FTP through SecureCRT's ssh channel, which encrypts what you type in the FTP session (most importantly, your password). Note that it does not encrypt the files being transferred

Setup: Create a Session Profile in each program to save the necessary settings (this only needs to be done once).

SecureCRT Settings

From the Connect window, right click on Sessions and choose New Session, or click on the 3rd icon. (If the Connect window did not open automaticaly when you launched SecureCRT, go to the File menu and select Connect.)
In the Session Options window choose Connection from the 'Category:' list and set:
- Name:BeforeFTP (or your own descriptive label)
- Protocol: ssh1
- Hostname: ftp.dialup.mit.edu
Choose Port Forwarding, from the 'Category:' list, and select Add. In the window that appears, set:
- Name: forwardedConn (or your own descriptive label)
- Port: 1234
- check 'Destination host is different from the SSH server'
- Hostname: ftp.dialup.mit.edu
- Port: 21
Save, and OK both dialog boxes.

WS_FTP Settings

In the Session Properties window, hit the New button and set:
- Profile Name: ViaSecureCRT (or your own descriptive label)
- Host Name:localhost
Under Advanced, set:
- Remote Port: 1234
- Passive transfers (use checkbox to make this active)
Hit Apply. (Note that if you hit OK at this point it will try to connect, and will give you an error if you haven't already connected with the SecureCRT Profile above.)

Transferring files:

In SecureCRT, connect to BeforeFTP (or the Session you saved above). It it is safe to type your password since ssh encrypts it, but you should not use the "Remember my password" box. Note that you must keep this connection open until you are finished with step 2.
In WS_FTP, connect to ViaSecureCRT (or the Session you saved above); it is now safe to type your password as it will be sent through the encrypted ssh channel, but you should not use the "Save Pwd" box. When you are done, first close the WS_FTP connection, then logout from the SecureCRT session.

Note to private Athena workstation owners: this method can be used with ftp.dialup.mit.edu (or any of the other dialups), but will not work with a private Athena workstation with the mkserv remote require-encryption setting (although the password you type is encrypted through ssh, the restriction for FTP actually requires Kerberos). We strongly encourage private workstation owners to use the mkserv remote require-encryption setting (i.e., answer yes to the question "Do you wish to require encrypted passwords on remote connections?"); if you need to transfer files to/from the local disk, it's better to use an scp client or the SecureCRT method below.

SecureCRT zmodem transfer feature

SecureCRT zmodem transfer feature	This method uses SecureCRT's zmodem file transfer feature with ssh for secure file transfer. Setup Connect with: Protocol: `ssh1` Hostname: `ftp.dialup.mit.edu` (or a private workstation) In the terminal window, add the sipb locker (for access to the zmodem program on Athena): athena% add sipb Modify directory settings as needed: On the PC, SecureCRT will put files into the download directory within the SecureCRT install directory, and will try to get files from the upload directory. To change this, go to the Options menu, select Session Preferences and modify the settings listed under the Files tab. On Athena, cd to the appropriate directory. To send a file from your PC to Athena From the Athena prompt, type: athena% rz -ae for ascii (text) files athena% rz -be for binary files This will bring up a SecureCRT dialog box where you select files to upload (the Add button puts the selected file on the list; use the Close button when the list is complete and the transfer will start). A window with a progress bar will open; if the transfer completes without error, this will close automatically and you will be returned to the Athena prompt. The following will appear in your terminal window; it applies to command-line use of zmodem's rz/sz command pair and should be ignored here. Once you see the athena% prompt, the file(s) should be in your current directory. athena% rz rz ready. To begin transfer, type "sz file ..." to your modem program athena% To send a file from Athena to your PC athena% sz -a filename for ascii (text) files athena% sz -b filename for binary files You may also want to use the -e flag to escape control characters, e.g.: `sz -ae filename`

This method uses SecureCRT's zmodem file transfer feature with ssh for secure file transfer.

Setup

Connect with:
- Protocol: ssh1
- Hostname: ftp.dialup.mit.edu (or a private workstation)
In the terminal window, add the sipb locker (for access to the zmodem program on Athena):
```
   athena% add sipb
```
Modify directory settings as needed:
- On the PC, SecureCRT will put files into the download directory within the SecureCRT install directory, and will try to get files from the upload directory. To change this, go to the Options menu, select Session Preferences and modify the settings listed under the Files tab.
- On Athena, cd to the appropriate directory.

To send a file from your PC to Athena

From the Athena prompt, type:

     athena% rz -ae        for ascii (text) files

     athena% rz -be        for binary files

This will bring up a SecureCRT dialog box where you select files to upload (the Add button puts the selected file on the list; use the Close button when the list is complete and the transfer will start).
A window with a progress bar will open; if the transfer completes without error, this will close automatically and you will be returned to the Athena prompt.
The following will appear in your terminal window; it applies to command-line use of zmodem's rz/sz command pair and should be ignored here. Once you see the athena% prompt, the file(s) should be in your current directory.
```
 athena% rz
 rz ready. To begin transfer, type "sz file ..." to your modem program

 athena%
```

To send a file from Athena to your PC

     athena% sz -a filename       for ascii (text) files

     athena% sz -b filename       for binary files

You may also want to use the -e flag to escape control characters, e.g.: sz -ae filename

For general information on securing the FTP channel, see the SSH FAQ section on FTP or man pages.
For help with specific Mac/PC clients, see the F-Secure SSH FAQ or documentation from your SSH provider.
For more information on SSH see our SSH Overview.

Remote Access Overview | Remote Login Guide | File Transfer Guide | SSH Overview

Comments and feedback to olh-suggest@mit.edu

Secure File Transfer

Contents

Setup

To send a file from your PC to Athena

To send a file from Athena to your PC