----- Original Message ----- From: Matthew J. Roth Sent: 09/09/13 11:24 PM To: Community support for Fedora users Subject: Re: tls
Patrick Dupre wrote:
ssh works fine. However, I have a possible explaination. This machine is behind a firewall and to be able to make ssh, I add to ask to have the ssh port open. Probably, the ftp port is closed. Should I ask to have it open to use ssl/tls? Is it port 21? or 990? how can I check the port 22 is open while the other ones are closed on the firewall (I do not have admin access to this machine).
Matthew J. Roth wrote:
Do you have a compelling reason to use FTPS. If not, SFTP provides the same functionality (encrypted file transfers) and it runs over SSH, so it should *just work* in your environment.
Patrick Dupre wrote:
Yes, I know, but ssh/tls seems more secure!
Thank Matthew.
I probably need to learn more how to use sftp for having best secure transfers using my own key.
Patrick,
Both FTPS and SFTP utilize essentially the same techniques to secure a connection and provide similar levels of security. FTPS has a slight edge when it comes to authentication, because it uses X.509 certificates while SFTP uses SSH keys. However, this is only relevant if personally verifying the authenticity of keys (e.g. issuing a key yourself or verbally confirming its fingerprint by phone) isn't sufficient and you require a CA to verify the authenticity of certificates instead.
On the other hand, SFTP is easier to administer from a network perspective since only port 22/tcp must be opened in the firewall. This is the same port used by SSH, so in many cases (including yours) it's already open.
In my opinion, FTPS is slightly less secure than SFTP because its risks (running an additional daemon and opening multiple firewall ports) outweigh its benefit (X.509 authentication). Considering that SFTP is probably already available on your computer (it's enabled by default), it's the obvious choice unless you absolutely require X.509 authentication for file transfers.
Regards, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
=========================================================================== Patrick DUPRÉ | | email: pdupre@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France ===========================================================================
Patrick Dupre wrote:
I probably need to learn more how to use sftp for having best secure transfers using my own key.
Patrick,
All you need to know is the fingerprint of the key on the remote computer. It is used to authenticate that you are connecting to the computer you intended to. Either ask the administrator or, if you are the administrator, enter the following command on the remote computer:
[user@remote ~]$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 d0:f3:c7:b3:bc:d0:87:e4:32:f8:f5:17:2c:cf:d7:a4 /etc/ssh/ssh_host_rsa_key.pub
The first time you try to connect from the local computer you'll be prompted to verify the authenticity of the remote computer. Only type 'yes' after you've made sure that the RSA key fingerprint displayed matches the one you previously obtained:
[user@local ~]$ sftp user@remote The authenticity of host 'remote (12.34.56.78)' can't be established. RSA key fingerprint is d0:f3:c7:b3:bc:d0:87:e4:32:f8:f5:17:2c:cf:d7:a4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'remote,12.34.56.78' (RSA) to the list of known hosts. user@remote's password: Connected to remote. sftp> bye
The public RSA key of the remote computer is now stored on the local computer in the '~/.ssh/known_hosts' file so that future connections can be automatically authenticated:
[user@local ~]$ sftp user@remote user@remote's password: Connected to remote. sftp> bye
If the automatic authentication check fails then the connection will be terminated with a warning message:
[user@local ~]$ ssh user@remote @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 0b:fa:93:03:b8:86:ad:c4:4f:93:1e:69:a1:53:78:8a Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:60 RSA host key for remote has changed and you have requested strict checking. Host key verification failed.
If you don't see that warning then you can be confident that you have a secure connection to the intended remote computer for encrypted file transfers.
Regards,
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer