DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th September 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question PureFTP + TLS / or SFTP

Hello all,

I am running OpenBSD 4.2 /w Generic Kernel.

I am wondering if someone can assist with some thoughts regarding TLS or SFTP security?

Currently I am running PureFTP w/ SQL for the user accounts. I am interested in implementing a secure method (or both) as a secondary method for connecting. Existing users will need to be usable.

I have a few questions:

1. What are the key differences between using TLS and SFTP?

2. Does PureFTPd have the ability to support SFTP?

3. Will SFTP be compatible with the SQL database for authentication?

4. Does anyone have any nice walk-throughs regarding this?


Your help is greatly appreciated.

Thank you in advance!
Reply With Quote
  #2   (View Single Post)  
Old 30th September 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This has been asked already, or similarly.. http://www.daemonforums.org/showthread.php?t=2014

There is much confusion between SFTP and FTPS, the former is a method of transferring files over the SSH protocol, the latter being a secure variant of the FTP protocol.

SFTP is a feature of OpenSSH, FTPS is a feature of a FTP daemon...

As with the topic above, please clarify... are you talking about a secure variant of "FTP" (RFC 4217) or an independent secure file transferring service over the SSH protocol. (Which doesn't have a published RFC, but this is quite close..).

http://en.wikipedia.org/wiki/FTPS
http://en.wikipedia.org/wiki/SSH_file_transfer_protocol

Last edited by BSDfan666; 30th September 2008 at 11:50 PM.
Reply With Quote
  #3   (View Single Post)  
Old 1st October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello BSDfan666,

Thanks for the reply!

I am not totally sure what you mean.

I suppose to answer your question I would say I am talking about both.


Are TLS and sFTP not specific types of communication?

TLS being an addon to FTP; sFTP being SSH-FTP. Both of which from what I can tell occomplish the same sort of thing. (am I wrong?)

The links/forum post I do not believe answer my questions at all. I already know WHAT these terms mean and how to use sFTP (forum post).

My questions:

1. What are the key differences between using TLS and SFTP?

(in terms of security is one vastly superior, does one not do something the other does...etc anything I should be aware of between choosing between them)

2. Does PureFTPd have the ability to support SFTP?

(can I run the sFTP feature through PureFTP's configuration in order to make use of the sFTP security but maintain my other FTP policies - in other words is it possible to use PureFTP with SSH as apposed to TLS/FTPs or is TLS another name for SSH more-or-less?)

3. Will SFTP be compatible with the SQL database for authentication?

(can sFTP (or I suppose SSH) be made to lookup account info through a SQL database/my pureFTP SQL database)

4. Does anyone have any nice walk-throughs regarding this?

(are there any guides that walk through the installation of these on OpenBSD)


Anyway please let me know. If I missed something or need to clerify further let me know. Thanks for your help.
Reply With Quote
  #4   (View Single Post)  
Old 1st October 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I think you missed the point, SFTP and FTP are unrelated.. the only thing the share is the name and the fact they transfer files in some manner.

1A) How can you compare 2 entirely different things? they both transfer files.. that's it.
2A) PureFTPd supports FTP, i.e: RFC 959.. and RFC 4127, FTP with TLS encryption.. as I keep saying, SFTP is "unrelated" to the FTP protocol... it's a method of transferring files over the "SSH" protocol.
3A) No, SSH uses system accounts.
4A) No.

Hope that helps.

Last edited by BSDfan666; 1st October 2008 at 02:09 AM.
Reply With Quote
  #5   (View Single Post)  
Old 1st October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello again,

Thanks for your reply. My point with this topic is to decide what method to use to transfer files since both A and B will in the end occomplish the same thing; transfering a file from one location to another. I had thought I was clear that I understood that they are two seperate technologies. As is say PHP and ASP. They can probably do a lot of the same thing but one is probably better at some 'features' than the other. With that also note they probably can mingle together.

Forget that I mentioned I was already running FTP for a minute. Lets say I posted a message asking which would be a better solution for ME. FTP-TLS or sFTP. Now with that in mind (if you know) can you tell me what the advantages are and what the disadvantages would be? My end objective would be to transfer a file securely from one place to another. Is one more secure than the other? Does not only the login info but also the data get encrypted? Drawbacks? Possitives? Comments?

I was hoping that it might be possible to at least be able to forward credentials for SSH/sFTP to a SQL database, much like using a radius/AAA server for authentication (not related to FTP). It's unfortunate this is not possible.

Thanks for your help.
Reply With Quote
  #6   (View Single Post)  
Old 2nd October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Does anyone have any info?

Thanks
Reply With Quote
  #7   (View Single Post)  
Old 2nd October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,695
Thanked 214 Times in 189 Posts
Default

Info? No. Recommendation? Yes. Use OpenSSH.

Why?

No 3rd party products need be installed, it supports any number of authentication methods including Radius servers, the only thing "sftp" adds to SSH is provide FTP-like file transfer commands within an ssh session. Otherwise it is just plain-old-well-understood-well-audited-and-secure OpenSSH. Authentication can be loose or broad, as it is with any SSH configuration, and all packets are encrypted, including authentication packets.

I happen to like using scp, which allows file transfer from shell commands without an sftp client session.
Reply With Quote
  #8   (View Single Post)  
Old 3rd October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Thanks for your reply jggimi,

Interesting comment. Sounds pretty decent for a standalone solution. The more and more I read I am beginning to realize that sFTP is not going to be a practicle solution for my requirements however. (unless you can suggest otherwise? --which would be awesome!)

Right now as indicated above I have a setup that relies off of SQL to hold authentication information. According to the above SQL is not compatible with sFTP(OpenSSH). I imagine with some work it could be "made" to interact with the database through a custom script or something of that nature but that would probably take a lot of work.

I am curious about your comment "it supports any number of authentication methods including Radius servers" --there isnt a chance you would know of a solution for my SQL dilema would you?

Also one of the big questions I have that remains is with TLS. What sort of encryption does it use? Is said encryption "strong" enough like ipsec or ssh?

Anyway thank you again for your input.
Reply With Quote
  #9   (View Single Post)  
Old 3rd October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,695
Thanked 214 Times in 189 Posts
Default

OpenSSH supports host based authentication, public key authentication, challenge-response authentication, or password authentication.

(I never set up OpenSSH servers with password authentication, myself. My favorites are public key and S/Key challenge-response authentications.)

Host-based authentications may include ActivCard token, CRYPTOCard token, Kerberos ticket, Radius authentication, , SecureNet Key token, X9.9 token, or programmatic authentications. Program authentications via the "approve" and "approve-service" keywords are described in login.conf(5) but I know nothing about them, except they appear to be available for custom challenge/response techniques. This might be how you could interface your custom authentication with OpenSSH, or perhaps with your alternative file transfer solution.

A common programmatic authentication used in other Unix-like systems is PAM. All I know of PAM is that it is not one of the methods available on OpenBSD.

----

TLS (Transport Layer Security) is an authentication method based on public key authentication -- it uses certificates which include public/private key pair halves. To basic PKA it adds complexities such as commercial certification authorities (e.g.: Verisign), expiration dates (so that the certification companies get repeat business), and the like.

As an admin, you might have set up a secure web server (https), and set up a host certificate for it. If you *also* created a small set of client certificates to give to a set of users, to limit which clients could reach that server, you set up a TLS authentication system.

Encryption for TLS traffic is via SSL v3.

Last edited by jggimi; 3rd October 2008 at 04:01 PM. Reason: typo
Reply With Quote
Old 4th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hello again,

Thank you for your reply. Very informative. The programmatic solution sounds like it would be the only way, if it is possible at all, for me to use sFTP with my current setup. It does sound like it would be technically better to use sFTP as apposed to TLS. However SSL v3 isn't really all that bad either.

I think I have got what I was looking for with this post. I will continue as planned and use TLS for now as it does seem to be the easiest and least time consuming solution to implement for my situation. Thank you for your advise/info. Very much appreciated.



One other question I just realized. Does TLS/SSL also encrypt all the traffic like SSH does?

Thanks!
Reply With Quote
Old 4th October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,695
Thanked 214 Times in 189 Posts
Default

TLS is an authentication system. Session encryption is the responsibility of the application. Most TLS using systems I'm aware of (HTTPS, SMTP/STARTTLS) use SSL encryption. That doesn't mean all do. To confirm if your application does so, use tcpdump(8) with a large snaplen value to capture packet content.
Reply With Quote
Old 6th October 2008
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hmm alright. Well thank you very much for your help!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sftp Bus error: 10 (core dumped) smokem FreeBSD General 0 21st April 2009 12:45 PM
List of users connected by sftp. amscotti OpenBSD General 7 1st April 2009 07:26 PM
build a sftp server milo974 OpenBSD General 9 26th September 2008 11:09 AM
obsd 4.3 chrooted sftp permissions? luismi OpenBSD General 4 12th July 2008 11:39 PM
Pureftp and changing permissions disappearedng FreeBSD General 4 8th July 2008 12:47 AM


All times are GMT. The time now is 08:05 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick