Bothersome public key SCP implementations..

theta_at_netwalk.com
Date: 05/06/05

  • Next message: Darren Tucker: "Re: Disconnecting: Corrupted MAC on input."
    Date: 6 May 2005 09:15:35 -0000
    To: secureshell@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    This is a general question for those who might be knowledgeable in SCP/SSH file transfers.

    I am currently trying to setup a very secure method of transfering files between users and thier webhosting directories under BSD. As is, the owner of the hosting does not want FTP to be used, period. With good reason, as I agree that it is a horribly insecure protocol.

    Right now our SSHd is using SSH2 DSA public key authentication, which works very well when the time is taken to set it up correctly between the clients and the servers.

    One idea that I had is the use of SCP/SSH file transfers, to get around the FTP limitation. However, as easy as this can be done though *nix, its a big pain in the ass to use while in Windows. The free, open-source implementations that I have run across (FileZilla, WinSCP) seem to use the same PuTTY codebase, which doesn't have native support for public key exchange, and relies on a secondary PuTTY utility (pageant) for the exchange of keys.

    Now this is a bit of a pain. But, to make matters worse, PuTTy doesn't use the standard OpenSSH key format, but thier own format, and users have to use a 3rd utility (puttygen) to convert between the two.

    So what I've been trying to setup, and pulling my hair out with, is the wonkyness of having to create, convert, and deploy private/public key pairs to my handful of users. Plus, getting said users to run Pageant when connecting using FileZilla or WinSCP.

    So, I guess the question is, has anyone run into the same problems such as this, and if so, what did you do to make it easier? If not, what would you suggest? And also, are there ANY open source/freeware windows GUI clients to make use of SCP with SSH2 DSA key authentication or am I just asking for far too much for the price of nothing?

    Anyway, glad this mailing list is here, hope to learn something soon. :)

    Justin


  • Next message: Darren Tucker: "Re: Disconnecting: Corrupted MAC on input."