User Tools

Site Tools


documentation:setup_and_user_guide:secure_sftp_configuration

Secure SFTP Configuration

Introduction

The “SFTP” abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another (similar) mistake is that SFTP is thought to be some kind of FTP over SSL. In fact, SFTP is an abbreviation of “SSH File Transfer Protocol.” This is not FTP over SSL and not FTP over SSH (which is also technically possible, but very rare).

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All commands (requests) are packed to binary messages and sent to the server, which replies with binary reply packets. In later versions, SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file lock, symbolic link creation, and so forth.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm. For authentication, FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. An X.509 certificate has an associated private key that is usually stored separately from the certificate for security reasons.

A SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither does it contain information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain—only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

SFTP Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

SFTP Cons:

  • The communication is binary and can't be logged “as is” for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations
  • No built-in SSH/SFTP support in VCL and .NET frameworks

Basic Configuration Steps

  1. Generate Self-Signed Certificate & Private Key.
  2. Copy & Paste Certificate into XigmaNAS WebGUI Tab> System|General Setup.
  3. Copy & Paste Private Key into XigmaNAS WebGUI Tab> System|General Setup.
  4. Configure XigmaNAS User Account for SFTP, see SUG Section 7.1-User Management
  5. Connect with a Secure Client - eg. Filezilla.

1. Self-signed SSL certificate and private key

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. By using X.509 PKI schemes, one believes/trusts the certificate by definition.

Generate Certificate in Windows.

Windows solution via abylon SELFCERT.

Download abylon SELFCERT from Abylonsoft
Install and run the program.
Create a certificate, and open the *.pem file.

Other ways to create your Certificate and Private Key in Windows are available:

Generate Certificate in Linux.

Linux solution via OpenSSL.

Generate a Self-signed HTTPS certificate and private key in terminal ( CLI ).

openssl req -new -x509 -nodes -sha1 -days 365 -newkey rsa:1024 > nas4freekb.cert


Sample session using openssl to create certificate shown above.

2. Copy & Paste Certificate

Windows

Open the certificate using Notepad or Wordpad and copy (Ctrl+C) the Certificate section.

Warning - Make no changes and do not save the file in Windows, doing so will change *nix type line ends (LF) to Windows (CRLF) and possibly damage the data.

Linux

cat the certificate file, select the contents and copy (Ctrl+C) or (Shift+Ctrl+C) depending on your terminal.

Paste the certificate (Ctrl+V) to WebGUI Tab> System|General Setup > WebGUI section > Certificate.

Important - Certificate and Private Key text boxes are only available if you are using HTTPS as the WebGUI Protocol.

3. Copy & Paste Private Key

Windows

Open the certificate using Notepad or Wordpad and copy (Ctrl+C) the Private Key section.

Warning - Make no changes and do not save the file in Windows, doing so will change *nix type line ends (LF) to Windows (CRLF) and possibly damage the data.

Linux

cat the private key file, select the contents and copy (Ctrl+C) or (Shift+Ctrl+C) depending on your terminal.

Paste the private key (Ctrl+V) to WebGUI Tab> System|General Setup > WebGUI section > Private Key.

Important - Certificate and Private Key text boxes are only available if you are using HTTPS as the WebGUI Protocol.

Save the Configuration settings

Click the “SAVE” Button. You should re-boot your server to ensure activation of these new settings.

4. Configure XigmaNAS User Account - Enable a Shell

To connect using SFTP you must have a properly configured user account. You could just use root, but this is not recommended for security reasons. You should create an account on XigmaNAS so that SFTP can login, see SUG Section 7.1-User Management. Make sure you select a proper SHELL instead of NOLOGIN for your new user. I used sh in my configuration. Additional GROUPS that I selected are FTP (Primary), SSHD, WHEEL, and ADMIN.

Save the Configuration settings

Click the “SAVE” Button.

5. Connect to XigmaNAS with a Secure Client.

There are several free programs available that can provide secure connections supporting AUTH TLS / SSL / SFTP.

Client Software Windows Linux
FileZilla
WinSCP
FireFTP
CoreFTP
CuteFTP

REF: http://en.wikipedia.org/wiki/Comparison_of_FTP_client_software


In the illustrations above FileZilla was used as client.


Thanks to danmero for original KnowledgeBase article.

Thanks to ldkraemer for original contribution of this section.

documentation/setup_and_user_guide/secure_sftp_configuration.txt · Last modified: 2018/10/02 15:51 by zoon01