Here is a summary of all the responses received thus far ... the majority
agree that ssh2's scp or sftp is the way to go.
One more question:
I was able to generate the keypairs both on my Tru64 server and my NT
workstation; however I cannot connect from the NT box to the Unix box. I
get a wrong password error but the password is correct.
Thanks in advance,
Joan Riggs
Raytheon RSE / KLS
Information Technology
805.355.9877
joan.riggs_at_kls.usaka.smdc.army.mil
> -----Original Message-----
> From: Riggs, Joan [mailto:Joan.Riggs_at_kls.usaka.smdc.army.mil]
> Sent: Tuesday, May 09, 2000 7:33 AM
> To: 'tru64-unix-managers_at_ornl.gov'
> Subject: secure file transfers
>
> I realize this is not directly Tru64 related, but hopefully this is an
> allowed question:
>
> I am running Tru64 4.0f and need to automate file transfers between these
> machines and NT servers. I am installing ssh2 this week.
>
> My question is: what would be the most secure way to set up the automated
> file transfers?
> I'd like to run a batch process but am concerned about imbedding passwords
> in an ftp process.
> __________________________________________________________________________
> ________
>
> Tom Webster
> Most of my experience is with ssh1.x, so some of this may not carry
> over....
> Is it sufficient to be reasonably sure that the connecting system is who
> they claim to be -- not the user? If so you should be able
> to get there with .shosts authentication (like rhosts, but under a
> different file -- so the "r" commands won't try to use it) and RSA
> authentication of the connecting host.
> There is a risk if:
> 1. The connecting host it totally hijacked.
> 2. The connecting host is cracked and the system's /etc/ssh_host_key
> (/etc/ssh/... on ssh2) is copied and then your IP address can be
> spoofed.
> You can find information on setting up hostbased authentication in the SSH
> FAQ: http://www.onsight.com/faq/ssh
> Roetman, Paul
> This may not be an appropriate method, but we have just installed Samba on
> our Tru64 4.0f Unix machine, and can now map
> drives from NT directly onto the Unix machine.
>
> The security of Samba can be defined as user, system or domain level. We
> chose domain, and so registered our Unix box as
> part of the NT Domain (after the NT Domain Administrator enters the name
> of your Unix machine into the domain list, run
> smbpasswd -j ${NTDOmainName} ). Then we just add shares as required, and
> add permissions to the shares as required -
> it works brilliantly! All password validation is passed on to the domain
> controller, so NT users do not have to have an account
> on the Unix Machine to access a share.
>
> We then tried to map NT shares directly onto the Unix machine using
> Microsoft's new product SFU (Services for Unix Ver 2.0 -
> just released last week). After much pain and suffering, gave up and only
> use samba now!
> Web site for samba is www.samba.org
>
>
> Anthony A. D. Talltree
> There's an MS-OS SSH client that does scp. It's called putty.exe.
>
>
> Jim Belonis
> I don't have ssh2, but for ssh, this is what you would do...
> If you have ssh, just setup for password-less ssh logins ( put the proper
> entry in ~/.ssh/authorized_keys on the destination machine ) and use scp
> which I believe is included as a replacement for rcp . If it is not
> included, you can 'tunnel' ftp over ssh.
>
>
> John P Speno
> with ssh, you can use RSAauthentication. You copy the public key to the
> remote side and you can ssh and scp w/o using a password.
>
>
> Marc Potvin
> ssh2 has an app called scp or secure copy. this should have what you are
> looking for.
>
>
> Robert Carsey
> the SSH package has a Secure FTP program called sftp. I assume it also
> comes with the sftp daemon too.
>
>
> Jeff Berliner
> You should be able to use scp from the ssh package, and with the
> appropriate public and private keys on each side, embedding
> passwords shouldn't be necessary.
>
>
> Samuel Nicolary
> this works well with ssh:
> tar cpf - /some/dirs | ssh <some-server> `(cd /some/where; tar xpf - )`
>
>
> Benjamin Smith
> Although not elegant but workable would be using passphrase-based
> authentication and scp/sftp to automate the file migration.
> The catch to both is that in an automated fashion one would have to embed
> the passphrase in the script as well; one workaround is to use null
> pass-phrases however this implies that one can log into the target server
> as that user without a password. I suppose one mitigates that by the
> encryption and "strength" of keys....
>
>
> Iwao MAKINO
> I do not know about latter question, but first one. Secure rcp can be
> used as scp. man ssh will help you.
>
>
> Carlos Morgado
> Do RSA key auth. It's public/private key and you can configure per host
> access. All you have to worry about is compromise
> of the local machines and consequente compromise of the priv keys, but by
> then you'd have big troubles anyway.
>
>
> Nikola Milutinovic
> SSH has scp - Secure CoPy.
>
>
> Joe Fletcher
> NT and security; now there's a contradiction. ;-) How about running
> Advanced Server on the Tru64 kit and having the files you
> want "transferred" sit in a share on the ASU server. The NT servers then
> access the share via standard NT Domain controls.
> Just an idea.
>
>
>
>
>
Received on Tue May 09 2000 - 22:21:29 NZST