Replacing FTP with SSH
FTP is an unencrypted protocol with means that all the data transferred, including the username and password, is sent in plain text across the internet. This is not an acceptable situation on the modern internet so an encrypted protocol must be employed replacing FTP.
SSH natively supports encrypted file transfers. This means that files can be securely transferred to a linux server without additional software being installed and configured. In addition, SSH key authentication is also supported improving security and efficiency.
This guide will explore replacing FTP on Windows and linux.
Replacing FTP on Windows
The best SSH file transfer program for Windows is WinSCP. This program is open-source, free and very well regarded. WinSCP supports several encrypted file transfer protocols including the SSH-based protocol; SCP. WinSCP can be downloaded from their website here:
Creating a simple login
The first time that WinSCP is run it will open the new connection interface. The following steps will log you into an SSH server and save those login details for future use:
- Select the SCP protocol from this drop down list.
- Enter the host name or IP address of the server.
- Enter the username that you will log in as.
- Enter the user’s password.
- Hit “Save” to create a session with these details so you don’t have to enter them again.
- Clicking “Login” will open a connection to the server.
After a successful login, WinSCP will display a traditional two-pane display of your local computer on the left side and the remote server on the right.
WinSCP and SSH keys
WinSCP is able to use SSH keys to increase security and enable password-less logins with Pageant. If you do not yet have a PuTTY format private key please see the SSH from Windows documentation for instructions on generating one.
In order to associate an SSH key with a session load a saved session and click on the “Advanced...” options dropdown and select “Advanced”:
This will bring up the following page:
- Click on “Authenticate”.
- Locate the private key you created with PuTTYGen in the “Private key file” field.
Then click on "OK" to save the advanced configuration. Also, remember to save the new configuration in your session. When using this session you will need to enter the password of your private key rather than the password of the server.
WinSCP will work with Pageant which will enable password-less logins once your private key is loaded into memory. Please see the Using SSH from Windows documentation for information on how to use Pageant to store a private key in memory.
Replacing FTP on linux
As is typically the case with linux a process can either be performed from the command line or from GUI tools built into desktop environments like KDE and GNOME. This guide will explore both.
Encrypted file transfers from the command line
The tool that will be examined here is the scp (Secure CoPy) program. It is almost certainly included into whatever linux distribution you are already using. It has a very simple syntax for a basic file transfer:
scp file destination
SCP does not care if the file is on your local computer or on the remote computer. This means that it is possible to copy files from the remote server to a local computer without having to first log into the remote server.
The remote source or destination must take the following form:
Here is a working example with the following details:
- file – file.txt in the current directory
- user – root
- server – examlaaa1.miniserver.com
- destination - /root/ on the remote server
scp file.txt email@example.com:/root/
Alternatively, if I wanted to copy the same file from /root/ on the remote server to the local directory the file and destinations would simply be swapped around. Here a "." is used as the linux shorthand for the current directory:
scp firstname.lastname@example.org:/root/file.txt .
When copying an entire directory the -r (recursive) option must be used e.g.:
scp -r /local/directory email@example.com:/root/
The standard linux command line regular expressions such as * can be used to copy multiple files at once.
Encrypted transfer from the desktop: KDE
The default KDE file manager; Dolphin, supports SSH file transfers. All that is required is to click on the “Network” destination and enter an address of the following form:
The following is a working example for user “root” at the server “examlaaa1.miniserver.com”:
If an SSH key is loaded into memory you will be logged straight into the home directory of the specified user. Instructions on loading an SSH key into memory can be found in the SSH from linux documentation.
If you don’t have the key loaded then you will have to enter the password for that user on the server. After logging in you can manage the files on the server exactly as if they were on your local machine. Cut, copy, paste and drag'n'drop will all work exactly as you would expect.
Encrypted transfer from the desktop: GNOME
The default file manager in GNOME is called Files. It supports encrypted file transfers via SSH. In order to open an encrypted connection follow these steps:
- Click on the “Other Locations” link in the navigation panel down the left side.
- Enter the special URL of the remote server.
The URL must have the form:
The following is a working example for user “root” at server “examplaaa1.miniserver.com”:
When a connection is made files can be managed as if they were located on the local computer. They can be copied, pasted, moved, renamed, dragged and dropped etc.
Files only support password authentication so without additional configuration the remote server must allow password authentication in order for Files to log in.
However, a workaround is possible by creating some custom ssh configuration on the local computer to force key based authentication. The configuration file is located in the .ssh directory under their home directory. The following command will edit this file and create it if it does not already exist:
The following two lines must be added:
Host SERVER_NAME IdentityFile ~/.ssh/PRIVATE.KEY
The following changes must be made to these lines:
- SERVER_NAME must be replaced with the hostname of the remote server.
- PRIVATE.KEY must be replaced with your private SSH key.
Every server that you want to log into using Files and an SSH key must be added on the Host line separated by spaces.
After this new configuration, when the remote server is accessed again with Files the password prompt will be for the private key and not for the user at the server.
Unfortunately, Files does not support SSH keys loaded into memory so the password must be entered every time. If you wish to avoid entering the password for every connection then check the “Remember password” box on the password dialogue box.
Last updated 22 June 2017, 06:53 GMT