Ssh Sftp

  1. Ssh Sftp Jail
  2. Ssh Sftp-server

With the Admin Security or JITC feature sets enabled, the Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface.

SSH Operations

SSH Version 2.0, the only version supported on the OCSBC, is defined by a series of five RFCs.

  • RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
  • RFC 4251, The Secure Shell (SSH) Protocol Architecture
  • RFC 4252, The Secure Shell (SSH) Authentication Protocol
  • RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
  • RFC 4254, The Secure Shell (SSH) Connection Protocol

RFCs 4252 and 4253 are most relevant to OCSBC operations.

Connect to a remote server. To open the PSFTP part of the PuTTY application suite, from the Start. SFTP (SSH File Transfer Protocol) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file transfer capabilities.

The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).

The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the OCSBC: traditional password authentication and public-key authentication.

Configuring SSH Properties

The single instance ssh-config configuration element specifies SSH re-keying thresholds.

  1. From admin mode, use the following command path to access the ssh configuration element:

    ssh configuration element properties are shown below with their default values

  2. rekey-interval—specifies the maximum allowed interval, in minutes, between SSH key negotiations

    Allowable values are integers within the range 60 through 600, with a default of 60 (minutes). Shorter lifetimes provide more secure connections.

    Works in conjunction with rekey-byte-count, which sets a packet-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

    Retain the default value, or specify a new value.

  3. rekey-byte-count—specifies the maximum allowed send and receive packet count, in powers of 2, between SSH key negotiations

    Allowable values are integers within the range 20 (1,048,576 packets) through 31 (2,147,483,648 packets), with a default of 31 (2^31). Smaller packet counts provide more secure connections.

    Works in conjunction with rekey-interval, which sets a time-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

    Retain the default value, or specify a new value.

    A sample SSH configuration appears below:

    Specifies a key renegotiation every 20 minutes, or at the reception/transmission of 2,147,483,648 packets, whichever comes first.

Managing SSH Keys

Use the following procedure to import an SSH host key.

Importing a host key requires access to the SFTP server or servers which receive audit log transfers. Access is generally most easily accomplished with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

  1. Use a terminal emulation program to access the SSH file system on a configured SFTP server.
  2. Copy the server’s base64 encoded public file making sure in include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.

    For OpenSSH implementations host files are generally found at /etc/ssh/ssh_host_dsa_key.pub, or etc/ssh/sss_host_rsa.pub. Other SSH implementations can differ.

  3. From admin mode use the ssh-pub-key command to import the host key to the OCSBC.

    For importing a host key, this command takes the format:

    where name is an alias or handle assigned to the imported host key, generally the server name or a description of the server function.

  4. Paste the public key with the bracketing Begin and End markers at the cursor point.
  5. Enter a semi-colon (;) to signal the end of the imported host key.
  6. Follow directions to save and activate the configuration.

Importing SSH Keys

Use the following procedure to import an SSH public key.

Prior to using SSH-public-key-based authentication you must import a copy the public key of each user who will authenticate using this method. The public key identifies the user as a trusted entity when the Oracle SBC performs authentication.

Ssh Sftp

During the SSH login, the user presents its public key to the SBC. Upon receiving the offered public key, the SBC validates it against the previously obtained trusted copy of the key to identify and authenticate the user.

Importing a public key requires access to the device on which the public key was generated, or on which it is currently stored with its associated private key. Access is generally attained with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Ssh sftp protocol
  1. Use a terminal emulation program to access the system from which the public key will be obtained.
  2. Copy the base64 encoded public key making sure to include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.
  3. From admin mode use the ssh-pub-key command to import the public key to the OCSBC.

    For importing a public key which will be used to authorize a user, this command takes the format:

    • where name is an alias or handle assigned to the imported public key, often the user’s name.
    • where authorizationClass optionally designates the authorization class assigned to this user, and takes the value user (the default) or admin.

    To import a public key for Matilda who will be authorized for admin privileges, use the following command

  4. Paste the public key with the bracketing Begin and End markers at the cursor point.
  5. Enter a semi-colon (;) to signal the end of the imported host key.
  6. Follow directions to save and activate the configuration.

Generating an SSH Key Pair

Use the following procedure to generate an SSH key pair.

The initial step in generating an SSH key pair is to configure a public key record which will serve as a container for the generated key pair.

  1. Navigate to the public-key configuration element.
  2. Use the name command to provide the object name, and the show command to verify object creation.

    creates a public key record named tashtego.

  3. Use the done command to complete object creation.
  4. Make a note of the last-modified-date time value.
  5. Move back to admin mode, and save and activate the configuration.
  6. Now use the ssh-pub-key generate command, in conjunction with the name of the public key record created in Step 3, to generate an SSH key pair.

    For importing an SSH key pair, this command takes the format:

    where name is an alias or handle assigned to the generated key pair, generally the client name or a description of the client function.

  7. Copy the base64-encoded public key. Copy only the actual public key — do not copy the bracketing Begin and End markers nor any comments. Shortly you will paste the public key to one or more SFTP servers.
  8. Save and activate the configuration.
  9. Return to the public-key configuration object, and select the target public key record instance.
  10. Verify that the record has been updated to reflect key generation by examining the value of the last-modified-date field.

Copying Public Key to SFTP Server

Use the following procedure to copy a client public key to an SFTP server.

Copying the client public key to an SFTP server requires server access generally using a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.
  1. Use a terminal emulation program to access the SSH file system on a configured SFTP server.
  2. Copy the client key to the SFTP server.

    On OpenSSH implementations, public keys are usually stored in the ~/.ssh/authorized_keys file. Each line this file (1) is empty, (2) starts with a pound (#) character (indicating a comment), or (3) contains a single public key.

    Refer to the sshd man pages for additional information regarding file format.

    Use a text editor such as vi or emacs to open the file and paste the public key to the tail of the authorized_keys file.

    For SSH implementations other than OpenSSH, consult the system administrator for file structure details.

    Use the following procedure to view an imported SSH key.

    You can use the show security ssh-pub-key command to display information about SSH keys imported to the OCSBC with the ssh-pub-key command; you cannot display information about keys generated by the ssh-pub-key command.

    displays summary information for all SSH imported keys

    • login-name—contains the name assigned to the RSA or DSA public key when it was first imported
    • finger-print—contains the output of an MD5 hash computed across the base64-encoded public key
    • finger-print-raw—contains the output of an MD5 hash computed across the binary form of the public key

    displays summary information for a specific SSH public key (in this case fedallah)

    displays detailed information for specific SSH public key (in this case fedallah, an RSA key)

    • host-name—contains the name assigned to the RSA key when it was first imported
    • finger-print—contains the output of an MD5 hash computed across the base64-encoded RSA public key
    • finger-print-raw—contains the output of an MD5 hash computed across the binary form of the RSA public key
    • public key—contains the base64-encoded RSA key
    • modulus—contains the hexadecimal modulus (256) of the RSA key
    • exponent—(also known as public exponent or encryption exponent) contains an integer value that is used during the RSA key generation algorithm. Commonly used values are 17 and 65537. A prime exponent greater than 2 is generally used for more efficient key generation.

    displays detailed information for specific SSH public key (in this case acme74, a DSA key)

    • host name—contains the name assigned to the DSA public key when it was first imported
    • comment—contains any comments associated with the DSA key
    • finger-print—contains the output of an MD5 hash computed across the base64-encoded DSA public key
    • finger-print-raw—contains the output of an MD5 hash computed across the binary form of the DSA public key
    • public key—contains the base64 encoded DSA key
    • p—contains the first of two prime numbers used for key generation
    • q—contains the second of two prime numbers used for key generation
    • g—contains an integer that together with p and q are the inputs to the DSA key generation algorithm

    displays detailed information for all SSH imported keys.

SFTP Operations

SFTP performs all operations over an encrypted SSH connection. It may also use many features of SSH, such as public key authentication and compression. SFTP connects and logs into the specified host, then enters an interactive command mode.

Once in interactive mode, SFTP understands a set of commands similar to those of FTP. Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces.

The following lists supported SFTP commands:
  • bye—Quit SFTP.
  • cd pathChange—Remote directory to path.
  • lcd pathChange—Local directory to path.
  • chgrp grp path—Change group of file path to group. group must be a numeric GID.
  • chmod mode path—Change permissions of file path to mode.
  • chown own path—Change owner of file path to own. own must be a numeric UID.
  • dir (or ls)—List the files in the current directory.
  • exit—Quit SFTP.
  • get [flags] remote-path [local-path]—Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too.
  • help—Display help text.
  • lcd—Change the directory on the local computer.
  • lls—See a list of the files in the current directolls [ls-options [path]Display local directory listing of either path or current directory if path is not specified.
  • lmkdir path—Create local directory specified by path.
  • ln oldpath newpath—Create a symbolic link from oldpath to newpath.
  • lpwd—Print local working directory.
  • ls [path]—Display remote directory listing of either path or current directory if path is not specified.
  • lumask umask—Set local umask to umask.
  • mkdir path—Create remote directory specified by path.
  • put [flags] local-path [local-path]—Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too.
  • pwd—Display remote working directory.
  • quit—Quit SFTP.
  • rename oldpath newpath—Rename remote file from oldpath to newpath.
  • rmdir path—Remove remote directory specified by path.
  • rm path—Delete remote file specified by path.
  • symlink oldpath newpath—Create a symbolic link from oldpath to newpath.
  • ! command—Execute command in local shell.
  • !—Escape to local shell.
  • ?—Synonym for help.

Note:

Command availability is subject to Oracle authorization/privilege classes.

Some SFTP commands are available to only certain users; some commands are available to no users.

RADIUS file access privileges are specified by the Acme-User-Privilege VSA, which can take the following values.

  • sftpForAudit—allows audit log access
  • sftpForAccounting—allows system logs to be accessed
  • sftpForHDR—allows HDR (Historical Data Records) to be accessed
  • sftpForAll—allows all logs to be accessed

Name

sftp - secure file transfer program

Synopsis

sftp [-1Cv] [-Bbuffer_size] [-bbatchfile] [-Fssh_config] [-ossh_option] [-Psftp_server_path] [-Rnum_requests] [-Sprogram] [-ssubsystemsftp_server] host

Ssh Sftp Jail

sftp [

sftp [
user
@]host[
:dir[/]]
sftp -b
batchfile [
user
@]host

Description

sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also usemany features of ssh, such as public key authentication and compression. sftp connects and logs into the specified host, then enters aninteractive command mode.

The second usage format will retrieve files automatically if a non-interactive authentication method is used; otherwise it will do so after successfulinteractive authentication.

The third usage format allows sftp to start in a remote directory.

The final usage format allows for automated sessions using the -b option. In such cases, it is necessary to configure non-interactive authenticationto obviate the need to enter a password at connection time (see sshd(8) and ssh-keygen(1) for details). The options are as follows:

-Bbuffer_size
Specify the size of the buffer that sftp uses when transferring files. Larger buffers require fewer round trips at the cost of higher memoryconsumption. The default is 32768 bytes.

-bbatchfile
Batch mode reads a series of commands from an input batchfile instead of stdin. Since it lacks user interaction it should be used in conjunctionwith non-interactive authentication. A batchfile of '-' may be used to indicate standard input. sftp will abort if any of the following commandsfail: get, put, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown,chgrp, lpwd, df, and lmkdir. Termination on error can be suppressed on a command by command basis by prefixing the command with a'-' character (for example, -rm /tmp/blah*).

-C' Enables compression (via ssh's -C flag).

-Fssh_config
Specifies an alternative per-user configuration file for ssh(1). This option is directly passed to ssh(1).

-ossh_option
Can be used to pass options to ssh in the format used in ssh_config(5). This is useful for specifying options for which there is no separate sftpcommand-line flag. For example, to specify an alternate port use: sftp -oPort=24. For full details of the options listed below, and their possiblevalues, see ssh_config(5).

AddressFamily
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
Compression
CompressionLevel
ConnectionAttempts
ConnectTimeout
ControlMaster
ControlPath
GlobalKnownHostsFile
GSSAPIAuthentication
GSSAPIDelegateCredentials
HashKnownHosts
Host'
HostbasedAuthentication
HostKeyAlgorithms
HostKeyAlias
HostName
IdentityFile
IdentitiesOnly
KbdInteractiveDevices
LogLevel
MACs'
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication
Port'
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication
RekeyLimit
RhostsRSAAuthentication
RSAAuthentication
SendEnv
ServerAliveInterval
ServerAliveCountMax
SmartcardDevice
StrictHostKeyChecking
TCPKeepAlive
UsePrivilegedPort
User'
UserKnownHostsFile
VerifyHostKeyDNS

-Psftp_server_path
Connect directly to a local sftp server (rather than via ssh(1)). This option may be useful in debugging the client and server.

-Rnum_requests
Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. Thedefault is 64 outstanding requests.

-Sprogram
Name of the program to use for the encrypted connection. The program must understand ssh(1) options.

-ssubsystemsftp_server
Specifies the SSH2 subsystem or the path for an sftp server on the remote host. A path is useful for using sftp over protocol version 1, or when theremote sshd(8) does not have an sftp subsystem configured.

-v' Raise logging level. This option is also passed to ssh.

Interactive Commands

Once in interactive mode, sftp understands a set of commands similar to those of ftp(1). Commands are case insensitive. Pathnames that contain spacesmust be enclosed in quotes. Any special characters contained within pathnames that are recognized by glob(3) must be escaped with backslashes (').

Ssh sftp-servercdpath
Change remote directory to path.

chgrpgrp path
Change group of file path to grp. path may contain glob(3) characters and may match multiple files. grp must be a numeric GID.

chmodmode path
Change permissions of file path to mode. path may contain glob(3) characters and may match multiple files.

chownown path
Change owner of file path to own. path may contain glob(3) characters and may match multiple files. own must be a numeric UID.

df [-hi] [path]
Display usage information for the filesystem holding the current directory (or path if specified). If the -h flag is specified, the capacityinformation will be displayed using 'human-readable' suffixes. The -i flag requests display of inode information in addition to capacity information.This command is only supported on servers that implement the '[email protected]' extension.

exit' Quit sftp.

get [-P] remote-path [local-path]
Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remotemachine. remote-path may contain glob(3) characters and may match multiple files. If it does and local-path is specified, then local-pathmust specify a directory. If the -P flag is specified, then full file permissions and access times are copied too.

help' Display help text.

lcdpath
Change local directory to path.

lls [ls-options [path]]
Display local directory listing of either path or current directory if path is not specified. ls-options may contain any flags supportedby the local system's ls(1) command. path may contain glob(3) characters and may match multiple files.

lmkdirpath
Create local directory specified by path.

lnoldpath newpath
Create a symbolic link from oldpath to newpath.

lpwd' Print local working directory.

ls [-1aflnrSt] [path]
Display a remote directory listing of either path or the current directory if path is not specified. path may contain glob(3) charactersand may match multiple files.

The following flags are recognized and alter the behaviour of ls accordingly:

-1' Produce single columnar output.

-a' List files beginning with a dot ('.').

-f' Do not sort the listing. The default sort order is lexicographical.

-l' Display additional details including permissions and ownership information.

-n' Produce a long listing with user and group information presented numerically.

-r' Reverse the sort order of the listing.

-S' Sort the listing by file size.

-t' Sort the listing by last modification time.

lumaskumask
Set local umask to umask.

mkdirpath
Create remote directory specified by path.

progress
Toggle display of progress meter.

put [-P] local-path [remote-path]
Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine.local-path may contain glob(3) characters and may match multiple files. If it does and remote-path is specified, then remote-path mustspecify a directory. If the -P flag is specified, then the file's full permission and access time are copied too.

Iseries sftp script exampleSsh sftp protocol

pwd' Display remote working directory.

quit' Quit sftp.

renameoldpath newpath
Rename remote file from oldpath to newpath.

rmpath
Delete remote file specified by path.

rmdirpath
Remove remote directory specified by path.

symlinkoldpath newpath
Create a symbolic link from oldpath to newpath.

version
Display the sftp protocol version.

!command
Execute command in local shell.

!' Escape to local shell.

?' Synonym for help.

IPV6

IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets aremetacharacters for the shell and must be escaped in shell.

See Also

Ssh Sftp-server

ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), glob(3), ssh_config(5), sftp-server(8), sshd(8)

Referenced By

darcs(1),gsissh(1),gsissh_config(5),gsisshd(8),rssh(1),rssh.conf(5),scponly(8)