FTP over SSH on Windows
Has anyone ever set up a Windows server for FTP over SSH? The FTP server I use is Gene6 (hosts over 100 user accounts). If you have not used that particular FTP server application, which one do you use and why?
Thanks!
Software/Hardware used:
Software/Hardware used:
ASKED:
February 19, 2009 10:03 PM
UPDATED:
February 20, 2009 6:39 PM
Answer Wiki:
You could use an SSH server, running on your Windows server to provide a Secure-FTP (SFTP) service. Google turns up several good descriptions on this, like this one:
http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows
I would recommend Van Dyke (http://www.vandyke.com) for one of many good commercial SSH server implementations for Windows. Open source alternatives include the SSHWindows project (http://sshwindows.sourceforge.net).
In any case, follow best practices for allowing access to your server, including:
- configure the SSH server to only allow the minimum access necessary, including restricting or disallowing interactive SSH command line access
- use distinct accounts for the fewest users possible, ideally an individual account per user
- use public key authentication where possible instead of username / passwords (requires out-of-band or secure distribution of the keys)
- enable SSH server logging and ensure your log monitoring tools are receiving events from the SSH server
Note this is an incomplete list, just off the top of my head.
Hopefully this helps.
Regards,
AP
To see all answers submitted to the Answer Wiki: View Answer History.
Hi,
it’s quite tricky to set ssl/tls ftp – for the same reasons ftp is tricky for natting and firewalling: control channel, data channels on various ports, encryption of just control channel, but not data channels etc., etc… – but I believe you are aware of this. I’d agree with Edhacker, that most convenient way would be to set up ssh server instead of ftp server and use scp and sftp – there are some cool gui-clients for windows (winscp, sftp plugin for the Total Commander, etc.)
If, however, your users insist on using their favorite ftp-clients, offer them ssh-tunneling option. You have again to set up ssh server on the ftp server host, and instruct users how to build and use ssh tunnels. Most ssh clients don’t support ftp-tunneling – again because of “data channels” scheme, but some have “helpers” – just like in linux connection tracking. In fact, the only such client I have used is appgate’s MindTerm. It is still alive, and if it’s licensing is OK for you, your users are happy.
Some years ago I had prepared presentation on this and some close topics, you can still can find it on:
http://cose.math.bas.bg/CSE/M4/PAlovConnectivity.pdf
pp. 19-20 deal with MindTerm setup for ftp tunneling.
But anyway, ftp is outdated – better use scp/sftp.
Good luck,
Petko