File transfer clients manual File Delivery Services Publisher Post CH Ltd Information Technology Webergutstrasse 12 CH-3030 Berne (Zollikofen) Contact Post CH Ltd Information Technology Webergutstrasse 12 CH-3030 Berne (Zollikofen) IT261 FDS Operation E-mail: [email protected] Version 3.0 / May 2014 Download the latest version from: https://www.post.ch/fds File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 2/30 Table of contents 1. General......................................................................................................................................................... 4 1.1 Purpose ..................................................................................................................................................... 4 1.2 Definitions, acronyms and abbreviations .................................................................................................... 4 1.3 Names, prices, versions, etc. ...................................................................................................................... 4 2. FTP ............................................................................................................................................................... 5 2.1 brief overview ............................................................................................................................................ 5 2.1.1 Active FTP ............................................................................................................................................... 5 2.1.2 Passive FTP (recommended!) ................................................................................................................... 6 2.2 The "FTP command": SITE ......................................................................................................................... 7 2.3 Transmitting data in ASCII and/or binary mode .......................................................................................... 7 3. SFTP.............................................................................................................................................................. 8 3.1 Introduction ............................................................................................................................................... 8 3.2 Public and private key ................................................................................................................................ 8 3.2.1 Creating an SSH key pair with PuTTY ...................................................................................................... 9 3.2.2 Creating an SSH key pair with OpenSSH ............................................................................................... 12 4. Connection to FDS ...................................................................................................................................... 13 4.1 Introduction ............................................................................................................................................. 13 4.2 Test of the connection ............................................................................................................................. 13 5. FileZilla........................................................................................................................................................ 14 5.1 Importing a key with FileZilla .................................................................................................................... 14 5.2 Automatic import with PuTTY’s Pageant .................................................................................................. 15 5.3 Notes on FileZilla ...................................................................................................................................... 17 6. CuteFTP ...................................................................................................................................................... 18 6.1 Importing a key with CuteFTP .................................................................................................................. 18 7. WS_FTP Professional ................................................................................................................................... 22 7.1 Importing a key with WS_FTP Professional ............................................................................................... 22 8. WinSCP ...................................................................................................................................................... 27 8.1 Importing a key with WinSCP .................................................................................................................. 27 8.2 Notes on WinSCP .................................................................................................................................... 28 9. Total Commander ....................................................................................................................................... 29 10. Microsoft DOS client ................................................................................................................................... 30 File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 3/30 1. General 1.1 Purpose FDS customers use very different types of software clients and scripts to transfer data. In order to counteract this influx of clients, we have decided to test those that are used the most and to describe the most important(!) functions and thus restrict usage and support to these areas. 1.2 Definitions, acronyms and abbreviations Word Definition FTP File Transfer Protocol Active: The FTP client establishes a connection between a high port (1024-65535) and port 21 of the server. The FTP server subsequently establishes a connection via port 20 with the client, using a high port again. Passive: The FTP client starts the connection to the FTP server via a high port (1024-65535) and port 21 of the server. The data channel is similarly established via a high port to the FTP server, meaning that the FTP server does not establish a connection to the client! SSH SSH or Secure Shell refers to both a network protocol and the respective programmes that are used to establish an encrypted connection with a remote computer in a secure manner. Secure CoPy or SCP is a protocol for the encrypted transmission of data between two computers in a computer network. SFTP or SSH File Transfer Protocol is a further development of SCP and enables the secure transmission of data to remote systems. PuTTY is a free SSH client, developed by Simon Tatham for Microsoft Windows, Mac OS and Unix. SCP SFTP PuTTY 1.3 Names, prices, versions, etc. Software FileZilla (filezilla project) ("recommended") CuteFTP Professional (globalSCAPE) WS_FTP Professional (Ipswitch) WinSCP Total Commander price free version* 3.8.0 ftp yes sftp (ssh) yes url https://filezilla-project.org/ charged 9.0 yes yes http://www.cuteftp.com/ charged 12.4 yes yes http://www.ipswitchft.com/ free Free 5.5.2 8.50 yes yes yes only with plugin http://winscp.net http://www.ghisler.com/ (05’2014) *Although previous and future versions of software, similar to other SFTP and FTP clients should generally function without a problem with FDS, our IT unit can only provide limited support for problems that occur with versions/software not listed here. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 4/30 2. FTP 2.1 brief overview The FTP protocol comes from the early days of the Internet, which is quite different from what it is today. At that time, data needed to be transmitted from one computer to another. There was no need for a virus scanner and firewall. The original FTP protocol therefore has a characteristic that is sometimes problematic in combination with some firewalls. To get round the typical FTP problems, a modified FTP protocol has been developed known as "Passive FTP". This is particularly an issue in relation to firewalls and Internet access. Typically, the FTP service uses two ports rather than one: port 21 for control (control port) and port 20 for the data (data port). But the main problem of FTP is its lack of security as all data – including username and password – are transmitted in clear text. For this reason, FTP must not be used to exchange sensitive data. The FDS FTP server supports: transfers of files 10 Gigabytes in size, 30 concurrent inbound connections from the same user account, user account locking for 30 minutes after 3 failed attempts, change of passwords with the SITE command. The FDS FTP server does not support: transfer resumption, change of file attributes, manipulations of the directories structure. 2.1.1 Active FTP Active FTP is the "original FTP protocol". It began to be referred to as "active" after the "Passive FTP" had been developed. FTP is a service that is based on TCP and is characterised by this feature: FTP uses two ports! One port is the "command" port and the other is the "data" port. Port 21 is used for control purposes (command) and port 20 is for the data. If a client wants to connect to an FTP server, the client opens a random unprivileged port (= all ports >1024) and connects to the "command" port 21 of the server and communicates the number of the port via which it wants to receive data. This is usually port number N+1. Example: The client opens port 1226 and sends the message "I’m expecting data at port 1227" to port 21 on the server. The server acknowledges the message and the client opens port 1227 to "listen". The server now opens its data port 20 and sends data to port 1227 of the client. The client acknowledges File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 5/30 receiving each TCP package, as is expected. This is rather a suspect procedure for a firewall. Firewalls block outside requests. Firewalls only accept TCP packages from outside if they have been requested by the receiving port. However, the FTP process is different. First of all, a port is opened suddenly (1227) without any request having been sent and the port is in "listening mode". Next, port 20 sends data that has not been requested from this port (the request originally comes from port 1226). This is when the firewall blocks any further communication. This is the problem you encounter when you are behind a proxy or firewall. Good firewalls recognise an FTP transfer and do not attempt to prevent it taking place. Problems frequently occur in combination with proxies. To get around these problems an alternative form of the FTP transfer has been developed, known as the "Passive FTP". 2.1.2 Passive FTP (recommended!) This mode is also known as "PASV Mode", because the FTP command called PASV tells the server that passive mode is required. In contrast to the active mode, the client opens both connections to the server. This solves the firewall problem as in this way, the firewall is notified by both client-side connections. How this kind of passive connection is established is described below. If the client wants a connection to an FTP server, it opens two unprivileged ports > 1024, e.g. ports 1026 and 1027. Next, the first port contacts the server via its "command" port 21. However, instead of telling the server, via its command port, at which port the data from data port 20 is expected, the client sends the PASV command. The server now does not know which client port will receive the data, but it does know that the client has requested a passive connection. We now explain the term, "passive". From the server point of view, passive means that it cannot start actively sending data to the port opened by the client. The server therefore does not send any data via its port 20, but opens another port > 1024 and sends the port number via the FTP command, PORT, to the client. The client is now in the position to actively direct what occurs. It is aware of the unprivileged port, which the server has opened for data traffic in place of port 20, and now requests the data from port 1027 (in our example). This cannot confuse the firewall, as the data traffic that now takes place is controlled by the client itself via port 1027. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 6/30 2.2 The "FTP command": SITE With the SITE command (site parameters) the server is able to offer special services that are not embedded in FTP protocol. This type of service is needed to change passwords (cpwd) for example: Example: site cpwd <new-password> Depending on the client you have to type the command as follows: quote site cpwd <new-password> PLEASE NOTE: This only works with FTP – not with SFTP!! 2.3 Transmitting data in ASCII and/or binary mode When files are transferred we differentiate between two different modes: ASCII mode, which is exclusively for text files and binary mode, which is for all other files. In ASCII mode, the line structure of the source computer is converted to the line structure of the target computer, during which code conversion can take place (e.g. EBCDIC --> ASCII). In binary mode, the file is transmitted byte by byte, which is important with regard to archive files. Binary files have to be transmitted in this mode to ensure that random byte combinations, which represent the line break to be converted (as in ASCII mode) are not changed by accident, which, in a worst-case scenario, would render the binary file useless. ASCII Binary File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 7/30 3. SFTP 3.1 Introduction SFTP (SSH Secure File Transfer Protocol) is a file transfer protocol and a secure alternative to FTP. The connection between client and server is encrypted, making it impossible for an outsider to observe and collect data. By using Public-Key authentication, the integrity and confidentiality of the data exchanged is ensured. SSH assures that data are complete and unchanged from sender to receiver. Attention: to correct common misconceptions, SFTP is not FTP over SSH (sometimes called Secure FTP), nor is it particularly like FTP at the protocol level. It should also not be confused with FTP (FTP over SSL). The FDS SFTP server supports: version 2 SSH, version 3 SFTP protocol, inbound SCP commands using SSH/SCP protocol, as supported by OpenSSH. Note that SCP does not support list, delete or rename, transfers of files 10 Gigabytes in size, 30 concurrent inbound connections from the same user account, user account locking for 30 minutes after 3 failed attempts, SSH keys in OpenSSH, ssh.com and PuTTY format, more than 1 SSH key for each user account. The FDS SFTP server does not support: version 1 SSH, interactive shell session, transfer resumption, change of password, change of file attributes, manipulations of the directories structure. 3.2 Public and private key With the help of an encryption system, messages can be digitally signed and encrypted within a network and when the parameters are chosen carefully (e.g. key length) they will not be 'cracked' any time soon. An asymmetrical crypto-system is a type of encryption in which each of the communicating parties has a key pair. This pair is composed of a private key and a public key. The public key enables anyone to encrypt data for the holder of the private key and to check or authenticate the digital signatures. The private key enables its holder to decode data that has been encrypted with the public key and to generate or authenticate digital signatures. However, the sender needs the public key of the recipient for each encrypted transmission. This can be sent by e-mail, for example, or be downloaded from a web site. - The public key has to be sent to Swiss Post (in accordance with the instructions in the FDS letter of confirmation) and is stored on the Swiss Post FDS server. - The private key must remain on your computer and may NEVER be given to others! - The pair of keys must be generated by the participant. - FDS supports both “RSA” (Rivest-Shamir-Adleman) or “DSA” (Digital Signature Algorithm) keys algorithms. - It is required to use a minimum of 2048 bits for the generated key. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 8/30 - NOTE: It is highly recommended to protect the key file with a passphrase. This will encrypt the private key when it is saved in a secure location on the local machine. Using passphrases for batch SSH-keys requires familiarity with the SSH-agent authentication subsystem. Participants should be aware that the use of strong encryption methods and encrypted SSH-keys is advisable but will raise administration efforts and system complexity. 3.2.1 Creating an SSH key pair with PuTTY PuTTY is an open source software for Microsoft Windows. It can be downloaded at http://www.putty.org . Beside a SFTP client (putty.exe) puttygen offers the possibility to generate key pairs. Start PUTTYGEN Check whether SSH-2 (RSA or DSA) and at least 2048 (bits) are selected and then: Click "Generate" 2048 File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 9/30 Move the cursor over the blank area When it is ready, the mask appears with the keys. Select "Save public key" File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 10/30 Give the "public key" a name that makes sense, and save it Select "Save private key" It is highly recommended to protect the key file with a passphrase. This will encrypt the private key when it is saved in a secure location on the local machine. Using passphrases for batch SSH-keys requires familiarity with the SSH-agent authentication subsystem. Participants should be aware that the use of strong encryption methods and encrypted SSH-keys is advisable but will raise administration efforts and system complexity. In this example we will continue without passphrase. PLEASE NOTE: The private key must remain on your computer and may NEVER be given to others! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 11/30 Give the "private key" a name that makes sense, and save it 3.2.2 Creating an SSH key pair with OpenSSH OpenSSH is available for any UNIX operating environment and common Linux distributions. Further information about OpenSSH is available at: http://www.OpenSSH.com Below is an example of the generation of a key pair using OpenSSH: ssh-keygen -b 4096 -t rsa -f /tmp/demo_key -C "comment for demo key" Here is an example of a private key: # cat /tmp/demo_key -----BEGIN RSA PRIVATE KEY----MIIJKAIBAAKCAgEAybf8vCaIZc8pSTgpbVUD3aBVC1AnKfBHIqGZA9E7w/TMcs9p meOU4Nfb9vHqbxPtWlg/qFTG6xRcXhLCjWfE3rV5EQ3sBj3tvLQIZ89Sh/GG21si < --- SNIP --- > ACdBLStDxIURm03gmMcBhKHDq4owQlDyESva0LWhIaxFwHpzamOAbPYVqBMbqT38 Bc1eGl0EE4d3yyWoMLOpwbsbhbmjSUjVV4JeDpNciqADBK5mQ3HNGNyKNqQ= -----END RSA PRIVATE KEY----And here is an example of a public key (this one is automatically generated with the ending .pub): # cat /tmp/demo_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA < --- SNIP --- > 6mEO5Gh28Vw== comment for demo key File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 12/30 4. Connection to FDS 4.1 Introduction The FDS customer may use the file transfer client of their choice. Our IT unit can only provide limited support for problems that occur with versions/software not listed here as well as for the implementation of transfer solutions. The FDS server is reachable at the address fds.post.ch (internet), fdsp.post.ch (leased lines) or fds.pnet.ch (internal post network). The FDS protocols are running on standard ports (21 for FTP and 22 for SFTP). Relevant details like user name, names of directories, file names, schedule of transmission, etc. are communicated during the service ordering by the respective customer services of the business unit of Post CH Ltd. Planned service maintenances are published on https://www.post.ch/fds 4.2 Test of the connection The connection to FDS can be tested using telnet: # telnet fds.post.ch 22 Trying fds.post.ch... Connected to fds.post.ch. Escape character is '^]'. SSH-2.0-SFTP Server # telnet fds.post.ch 21 Trying fds.post.ch... Connected to fds.post.ch. Escape character is '^]'. 220- Welcome to Swiss Post FDS FTP Server 220 Server ready for new user. In case the FDS server is not reachable, please assure that your firewall does not block the connection. In order to get an efficient help from our side, it is important to provide all needed information (user name, error message, exact time of the concerned connection, file and directory names). File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 13/30 5. FileZilla 5.1 Importing a key with FileZilla In FileZilla you can import keys in PuTTY format as well as in OpenSSH format. Start FileZilla => Edit => Settings => SFTP => Add keyfile … (then select the correct private key file) This (yellow) line indicates that the key has been imported successfully. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 14/30 5.2 Automatic import with PuTTY’s Pageant "Pageant" (PuTTY authentication agent) is an SSH agent which can be used to pass on SSH authentications. Pageant can import keys and make local programmes available when requested. The interface is open, meaning that other programmes can connect up with this service by Pageant. Start PAGEANT.EXE Pageant embeds itself in the System Tray on the right underneath the Quickstart bar and shows all the sessions that are saved in Pageant. This icon appears in the task bar: File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 15/30 Once it has been opened the "Pageant Key List Window" opens, which at this point is still empty: Select the private key (*.ppk) via "Add Key" and confirm by clicking "Open”. Only keys in PuTTY format will be accepted here. If the key appears as in the following example it has been imported correctly and is now located in the computer’s memory. Diverse "SSH programmes" and above all, FileZilla, now have direct access to the key from the memory. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 16/30 5.3 Notes on FileZilla Swiss Post also uses an IDS/IPS system as one of its protection mechanisms. To avoid being locked out, we recommend limiting the number of transmissions taking place at the same time to one or two at the most! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 17/30 6. CuteFTP 6.1 Importing a key with CuteFTP => Tools => Global Options File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 18/30 In Security: Select "SSH2 Security"! Activate the "Use public key authentication" field File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 19/30 In "Public key path" click "Folder": … and select the correct key (.pub). File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 20/30 In "Private key path" click "Folder": … and select the correct private key (.ppk). Here are the correctly imported keys: … and for an automatic login without a password: Disable the "Use password authentication field"! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 21/30 7. WS_FTP Professional 7.1 Importing a key with WS_FTP Professional Select => Options => SSH and => Client Keys File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 22/30 Select => Import => Public Key … File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 23/30 => here select: MUSTER.pub : followed by "Open" … => Next … File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 24/30 Select => Private Key … => here select: MUSTER.ppk: followed by "Open" … File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 25/30 => Next … click: "Finish" File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 26/30 8. WinSCP 8.1 Importing a key with WinSCP Click "Open –Field" and select the private key! This (yellow) line indicates that the key has been imported successfully … … and registration to the FDS system functions smoothly! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 27/30 8.2 Notes on WinSCP If you have problems with Permissions after transmitting files, this can be rectified by going to "Preferences" … … "Transfer". => Disable the "Set permissions" option and activate the "Ignore permissions errors" fields. File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 28/30 9. Total Commander To assure a flawless functioning of Total Commander, the configuration Compress during transfer must not be activated ! Configuration Options FTP Compress during transfer disable and apply! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 29/30 10. Microsoft DOS client An FTP (not SFTP) can also be created in the "DOS" window – however in this case, the passive mode is not implemented! File transfer clients manual Version 3.0 / May 2014 / © Post CH Ltd 30/30
© Copyright 2024