File transfer clients manual File Delivery Services

File transfer clients manual
File Delivery Services
Publisher
Post CH Ltd
Information Technology
Webergutstrasse 12
CH-3030 Berne (Zollikofen)
Contact
Post CH Ltd
Information Technology
Webergutstrasse 12
CH-3030 Berne (Zollikofen)
IT261 FDS Operation
E-mail: [email protected]
Version 3.0 / May 2014
Download the latest version from: https://www.post.ch/fds
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
2/30
Table of contents
1. General......................................................................................................................................................... 4
1.1 Purpose ..................................................................................................................................................... 4
1.2 Definitions, acronyms and abbreviations .................................................................................................... 4
1.3 Names, prices, versions, etc. ...................................................................................................................... 4
2. FTP ............................................................................................................................................................... 5
2.1 brief overview ............................................................................................................................................ 5
2.1.1 Active FTP ............................................................................................................................................... 5
2.1.2 Passive FTP (recommended!) ................................................................................................................... 6
2.2 The "FTP command": SITE ......................................................................................................................... 7
2.3 Transmitting data in ASCII and/or binary mode .......................................................................................... 7
3. SFTP.............................................................................................................................................................. 8
3.1 Introduction ............................................................................................................................................... 8
3.2 Public and private key ................................................................................................................................ 8
3.2.1 Creating an SSH key pair with PuTTY ...................................................................................................... 9
3.2.2 Creating an SSH key pair with OpenSSH ............................................................................................... 12
4. Connection to FDS ...................................................................................................................................... 13
4.1 Introduction ............................................................................................................................................. 13
4.2 Test of the connection ............................................................................................................................. 13
5. FileZilla........................................................................................................................................................ 14
5.1 Importing a key with FileZilla .................................................................................................................... 14
5.2 Automatic import with PuTTY’s Pageant .................................................................................................. 15
5.3 Notes on FileZilla ...................................................................................................................................... 17
6. CuteFTP ...................................................................................................................................................... 18
6.1 Importing a key with CuteFTP .................................................................................................................. 18
7. WS_FTP Professional ................................................................................................................................... 22
7.1 Importing a key with WS_FTP Professional ............................................................................................... 22
8. WinSCP ...................................................................................................................................................... 27
8.1 Importing a key with WinSCP .................................................................................................................. 27
8.2 Notes on WinSCP .................................................................................................................................... 28
9. Total Commander ....................................................................................................................................... 29
10. Microsoft DOS client ................................................................................................................................... 30
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
3/30
1.
General
1.1
Purpose
FDS customers use very different types of software clients and scripts to transfer data. In order to counteract this
influx of clients, we have decided to test those that are used the most and to describe the most important(!)
functions and thus restrict usage and support to these areas.
1.2
Definitions, acronyms and abbreviations
Word
Definition
FTP
File Transfer Protocol
Active: The FTP client establishes a connection between a high port (1024-65535) and port 21 of the server. The
FTP server subsequently establishes a connection via port 20 with the client, using a high port again.
Passive: The FTP client starts the connection to the FTP server via a high port (1024-65535) and port 21 of the
server. The data channel is similarly established via a high port to the FTP server, meaning that the FTP server does
not establish a connection to the client!
SSH
SSH or Secure Shell refers to both a network protocol and the respective programmes that
are used to establish an encrypted connection with a remote computer in a secure manner.
Secure CoPy or SCP is a protocol for the encrypted transmission of data between two
computers in a computer network.
SFTP or SSH File Transfer Protocol is a further development of SCP and enables the secure
transmission of data to remote systems.
PuTTY is a free SSH client, developed by Simon Tatham for Microsoft Windows,
Mac OS and Unix.
SCP
SFTP
PuTTY
1.3
Names, prices, versions, etc.
Software
FileZilla (filezilla project)
("recommended")
CuteFTP Professional
(globalSCAPE)
WS_FTP Professional
(Ipswitch)
WinSCP
Total Commander
price
free
version*
3.8.0
ftp
yes
sftp (ssh)
yes
url
https://filezilla-project.org/
charged
9.0
yes
yes
http://www.cuteftp.com/
charged
12.4
yes
yes
http://www.ipswitchft.com/
free
Free
5.5.2
8.50
yes
yes
yes
only with
plugin
http://winscp.net
http://www.ghisler.com/
(05’2014)
*Although previous and future versions of software, similar to other SFTP and FTP clients should generally
function without a problem with FDS, our IT unit can only provide limited support for problems that occur with
versions/software not listed here.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
4/30
2.
FTP
2.1
brief overview
The FTP protocol comes from the early days of the Internet, which is quite different from what it is today. At that
time, data needed to be transmitted from one computer to another. There was no need for a virus scanner and
firewall. The original FTP protocol therefore has a characteristic that is sometimes problematic in combination
with some firewalls. To get round the typical FTP problems, a modified FTP protocol has been developed known
as "Passive FTP". This is particularly an issue in relation to firewalls and Internet access. Typically, the FTP service
uses two ports rather than one: port 21 for control (control port) and port 20 for the data (data port).
But the main problem of FTP is its lack of security as all data – including username and password – are
transmitted in clear text. For this reason, FTP must not be used to exchange sensitive data.
The FDS FTP server supports:
 transfers of files 10 Gigabytes in size,
 30 concurrent inbound connections from the same user account,
 user account locking for 30 minutes after 3 failed attempts,
 change of passwords with the SITE command.
The FDS FTP server does not support:
 transfer resumption,
 change of file attributes,
 manipulations of the directories structure.
2.1.1 Active FTP
Active FTP is the "original FTP protocol". It began to be referred to as "active" after the "Passive FTP" had been
developed. FTP is a service that is based on TCP and is characterised by this feature: FTP uses two ports! One
port is the "command" port and the other is the "data" port. Port 21 is used for control purposes (command)
and port 20 is for the data.
If a client wants to connect to an FTP server, the client opens a random unprivileged port (= all ports >1024) and
connects to the "command" port 21 of the server and communicates the number of the port via which it wants
to receive data. This is usually port number N+1.
Example: The client opens port 1226 and sends the message "I’m expecting data at port 1227" to port 21 on
the server. The server acknowledges the message and the client opens port 1227 to "listen".
The server now opens its data port 20 and sends data to port 1227 of the client. The client acknowledges
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
5/30
receiving each TCP package, as is expected.
This is rather a suspect procedure for a firewall. Firewalls block outside requests. Firewalls only accept TCP
packages from outside if they have been requested by the receiving port. However, the FTP process is different.
First of all, a port is opened suddenly (1227) without any request having been sent and the port is in "listening
mode". Next, port 20 sends data that has not been requested from this port (the request originally comes from
port 1226). This is when the firewall blocks any further communication.
This is the problem you encounter when you are behind a proxy or firewall. Good firewalls recognise an FTP
transfer and do not attempt to prevent it taking place. Problems frequently occur in combination with proxies.
To get around these problems an alternative form of the FTP transfer has been developed, known as the
"Passive FTP".
2.1.2 Passive FTP (recommended!)
This mode is also known as "PASV Mode", because the FTP command called PASV tells the server that passive
mode is required. In contrast to the active mode, the client opens both connections to the server. This solves the
firewall problem as in this way, the firewall is notified by both client-side connections. How this kind of passive
connection is established is described below.
If the client wants a connection to an FTP server, it opens two unprivileged ports > 1024, e.g. ports 1026 and
1027. Next, the first port contacts the server via its "command" port 21. However, instead of telling the server,
via its command port, at which port the data from data port 20 is expected, the client sends the PASV
command. The server now does not know which client port will receive the data, but it does know that the
client has requested a passive connection.
We now explain the term, "passive". From the server point of view, passive means that it cannot start actively
sending data to the port opened by the client.
The server therefore does not send any data via its port 20, but opens another port > 1024 and sends the port
number via the FTP command, PORT, to the client. The client is now in the position to actively direct what
occurs. It is aware of the unprivileged port, which the server has opened for data traffic in place of port 20, and
now requests the data from port 1027 (in our example). This cannot confuse the firewall, as the data traffic that
now takes place is controlled by the client itself via port 1027.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
6/30
2.2
The "FTP command": SITE
With the SITE command (site parameters) the server is able to offer special services that are not embedded in FTP
protocol. This type of service is needed to change passwords (cpwd) for example:
Example:
 site cpwd <new-password>
Depending on the client you have to type the command as follows:
 quote site cpwd <new-password>
PLEASE NOTE: This only works with FTP – not with SFTP!!
2.3
Transmitting data in ASCII and/or binary mode
When files are transferred we differentiate between two different modes: ASCII mode, which is exclusively for
text files and binary mode, which is for all other files.

In ASCII mode, the line structure of the source computer is converted to the line structure of
the target computer, during which code conversion can take place (e.g. EBCDIC --> ASCII).

In binary mode, the file is transmitted byte by byte, which is important with regard to archive
files. Binary files have to be transmitted in this mode to ensure that random byte combinations,
which represent the line break to be converted (as in ASCII mode) are not changed by
accident, which, in a worst-case scenario, would render the binary file useless.
ASCII
Binary
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
7/30
3.
SFTP
3.1
Introduction
SFTP (SSH Secure File Transfer Protocol) is a file transfer protocol and a secure alternative to FTP. The connection
between client and server is encrypted, making it impossible for an outsider to observe and collect data. By using
Public-Key authentication, the integrity and confidentiality of the data exchanged is ensured. SSH assures that
data are complete and unchanged from sender to receiver.
Attention: to correct common misconceptions, SFTP is not FTP over SSH (sometimes called Secure FTP), nor is it
particularly like FTP at the protocol level. It should also not be confused with FTP (FTP over SSL).
The FDS SFTP server supports:
 version 2 SSH,
 version 3 SFTP protocol,
 inbound SCP commands using SSH/SCP protocol, as supported by OpenSSH. Note that SCP does not
support list, delete or rename,
 transfers of files 10 Gigabytes in size,
 30 concurrent inbound connections from the same user account,
 user account locking for 30 minutes after 3 failed attempts,
 SSH keys in OpenSSH, ssh.com and PuTTY format,
 more than 1 SSH key for each user account.
The FDS SFTP server does not support:
 version 1 SSH,
 interactive shell session,
 transfer resumption,
 change of password,
 change of file attributes,
 manipulations of the directories structure.
3.2
Public and private key
With the help of an encryption system, messages can be digitally signed and encrypted within a network and
when the parameters are chosen carefully (e.g. key length) they will not be 'cracked' any time soon.
An asymmetrical crypto-system is a type of encryption in which each of the communicating parties has a key
pair. This pair is composed of a private key and a public key. The public key enables anyone to encrypt data for
the holder of the private key and to check or authenticate the digital signatures. The private key enables its
holder to decode data that has been encrypted with the public key and to generate or authenticate digital
signatures.
However, the sender needs the public key of the recipient for each encrypted transmission. This can be sent by
e-mail, for example, or be downloaded from a web site.
-
The public key has to be sent to Swiss Post (in accordance with the instructions in the FDS letter of
confirmation) and is stored on the Swiss Post FDS server.
-
The private key must remain on your computer and may NEVER be given to others!
-
The pair of keys must be generated by the participant.
-
FDS supports both “RSA” (Rivest-Shamir-Adleman) or “DSA” (Digital Signature Algorithm) keys
algorithms.
-
It is required to use a minimum of 2048 bits for the generated key.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
8/30
-
NOTE: It is highly recommended to protect the key file with a passphrase. This will encrypt the private key when
it is saved in a secure location on the local machine. Using passphrases for batch SSH-keys requires familiarity
with the SSH-agent authentication subsystem. Participants should be aware that the use of strong encryption
methods and encrypted SSH-keys is advisable but will raise administration efforts and system complexity.
3.2.1 Creating an SSH key pair with PuTTY
PuTTY is an open source software for Microsoft Windows. It can be downloaded at http://www.putty.org .
Beside a SFTP client (putty.exe) puttygen offers the possibility to generate key pairs.
Start PUTTYGEN
Check whether SSH-2 (RSA or DSA) and at
least 2048 (bits) are selected and then:
Click "Generate"
2048
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
9/30
Move the cursor over the blank area
When it is ready, the mask appears with the
keys.
Select "Save public key"
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
10/30
Give the "public key" a name that
makes sense, and save it
Select "Save private key"
It is highly recommended to
protect the key file with a
passphrase. This will encrypt the
private key when it is saved in a
secure location on the local
machine. Using passphrases for
batch SSH-keys requires familiarity
with the SSH-agent authentication
subsystem. Participants should be
aware that the use of strong
encryption methods and
encrypted SSH-keys is advisable
but will raise administration
efforts and system complexity.
In this example we will continue
without passphrase.
PLEASE NOTE: The private key must
remain on your computer and may
NEVER be given to others!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
11/30
Give the "private key" a name
that makes sense, and save it
3.2.2 Creating an SSH key pair with OpenSSH
OpenSSH is available for any UNIX operating environment and common Linux distributions.
Further information about OpenSSH is available at: http://www.OpenSSH.com
Below is an example of the generation of a key pair using OpenSSH:
ssh-keygen -b 4096 -t rsa -f /tmp/demo_key -C "comment for demo key"
Here is an example of a private key:
# cat /tmp/demo_key
-----BEGIN RSA PRIVATE KEY----MIIJKAIBAAKCAgEAybf8vCaIZc8pSTgpbVUD3aBVC1AnKfBHIqGZA9E7w/TMcs9p
meOU4Nfb9vHqbxPtWlg/qFTG6xRcXhLCjWfE3rV5EQ3sBj3tvLQIZ89Sh/GG21si
< --- SNIP --- >
ACdBLStDxIURm03gmMcBhKHDq4owQlDyESva0LWhIaxFwHpzamOAbPYVqBMbqT38
Bc1eGl0EE4d3yyWoMLOpwbsbhbmjSUjVV4JeDpNciqADBK5mQ3HNGNyKNqQ=
-----END RSA PRIVATE KEY----And here is an example of a public key (this one is automatically generated with the ending .pub):
# cat /tmp/demo_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA < --- SNIP --- > 6mEO5Gh28Vw== comment for demo key
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
12/30
4.
Connection to FDS
4.1
Introduction
The FDS customer may use the file transfer client of their choice.
Our IT unit can only provide limited support for problems that occur with versions/software not listed here as
well as for the implementation of transfer solutions.
The FDS server is reachable at the address fds.post.ch (internet), fdsp.post.ch (leased lines) or fds.pnet.ch
(internal post network).
The FDS protocols are running on standard ports (21 for FTP and 22 for SFTP).
Relevant details like user name, names of directories, file names, schedule of transmission, etc. are
communicated during the service ordering by the respective customer services of the business unit of Post CH
Ltd.
Planned service maintenances are published on https://www.post.ch/fds
4.2
Test of the connection
The connection to FDS can be tested using telnet:
# telnet fds.post.ch 22
Trying fds.post.ch...
Connected to fds.post.ch.
Escape character is '^]'.
SSH-2.0-SFTP Server
# telnet fds.post.ch 21
Trying fds.post.ch...
Connected to fds.post.ch.
Escape character is '^]'.
220- Welcome to Swiss Post FDS FTP Server
220 Server ready for new user.
In case the FDS server is not reachable, please assure that your firewall does not block the connection.
In order to get an efficient help from our side, it is important to provide all needed information (user name, error
message, exact time of the concerned connection, file and directory names).
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
13/30
5.
FileZilla
5.1
Importing a key with FileZilla
In FileZilla you can import keys in PuTTY format as well as in OpenSSH format.
Start FileZilla
=> Edit
=> Settings
=> SFTP
=> Add keyfile …
(then select the
correct private key
file)
This (yellow) line
indicates that the
key has been
imported
successfully.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
14/30
5.2
Automatic import with PuTTY’s Pageant
"Pageant" (PuTTY authentication agent) is an SSH agent which can be used to pass on SSH authentications.
Pageant can import keys and make local programmes available when requested. The interface is open, meaning
that other programmes can connect up with this service by Pageant.
Start PAGEANT.EXE
Pageant embeds itself in the System Tray on the right underneath the Quickstart bar and shows all the sessions
that are saved in Pageant.
This icon appears in the task bar:
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
15/30
Once it has been opened the
"Pageant Key List Window" opens, which at
this point is still empty:
Select the private key (*.ppk) via
"Add Key" and confirm by
clicking "Open”. Only keys in
PuTTY format will be accepted
here.
If the key appears as in the following
example it has been imported correctly and is
now located in the computer’s memory.
Diverse "SSH programmes" and above all,
FileZilla, now have direct access to the key
from the memory.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
16/30
5.3
Notes on FileZilla
Swiss Post also uses an IDS/IPS
system as one of its protection
mechanisms.
To avoid being locked out, we
recommend limiting the number
of transmissions taking place at
the same time to one or two at
the most!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
17/30
6.
CuteFTP
6.1
Importing a key with CuteFTP
=> Tools
=> Global Options
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
18/30
In Security: Select
"SSH2 Security"!
Activate the "Use
public key
authentication"
field
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
19/30
In "Public key
path" click
"Folder":
… and select the
correct key
(.pub).
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
20/30
In "Private key
path" click
"Folder":
… and select the
correct private key
(.ppk).
Here are the correctly imported
keys:
… and for an automatic login
without a password:
Disable the "Use password
authentication field"!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
21/30
7.
WS_FTP Professional
7.1
Importing a key with WS_FTP Professional
Select => Options
=> SSH
and
=> Client Keys
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
22/30
Select =>
Import
=> Public Key
…
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
23/30
=> here select:
MUSTER.pub :
followed by
"Open" …
=> Next …
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
24/30
Select => Private
Key
…
=> here select:
MUSTER.ppk:
followed by
"Open" …
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
25/30
=> Next …
click:
"Finish"
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
26/30
8.
WinSCP
8.1
Importing a key with WinSCP
Click "Open –Field" and select the private
key!
This (yellow) line indicates that the key
has been imported successfully …
… and registration to the FDS system functions
smoothly!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
27/30
8.2
Notes on WinSCP
If you have problems with
Permissions after transmitting
files, this can be rectified by
going to "Preferences" …
… "Transfer".
=> Disable the "Set
permissions" option and
activate the "Ignore
permissions errors" fields.
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
28/30
9.
Total Commander
To assure a flawless functioning of Total Commander, the configuration Compress during transfer must not
be activated !
Configuration Options
FTP Compress during transfer disable and apply!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
29/30
10. Microsoft DOS client
An FTP (not SFTP) can also be created in the "DOS" window – however in this case, the passive mode is not
implemented!
File transfer clients manual
Version 3.0 / May 2014 / © Post CH Ltd
30/30