Re: Secure file transfer from unix to windows

From: Nico Kadel-Garcia (
Date: 11/02/03

Date: Sun, 2 Nov 2003 17:01:02 -0500

"UnixFan" <> wrote in message

> There is no perfect security: when you worry about the security of
> unencrypted password key stored on the server with 0600 permission,
> you do worry about people with root privilege who can read any files,
> right? But when you can not trust all of them, why don't you worry
> about them to use system call tracer or use a trojan horse to capture
> the key when you enter it? With everyone can modify and build up SSH
> executables, there is really a problem for detecting trojan horse, and
> that is one of the reason we choose the AutoSFTP from WZIS for our
> production use: It provides a trojan horse detecting functionality,
> that will create a checksum certificate for ssh and sftp before you
> can start to use asftp, such that if later someone changes the ssh or
> sftp program, asftp will be able to detect the change and refuse to
> run. Without knowing the certification generation password, even root
> will not be able to temper the certificate.

The lack of "perfect security" is no excuse for really, really *bad*
security by keeping unencrypted password keys. Such files can always be read
by anyone with physical access to the server in question, and can often be
read from the user's home directory in NFS or SMB setups or from backup
tapes. Remember, while binary vulnerabilities and rootkit attacks are
certainly common in the wild, most crackers don't bother: they go after the
unsecured easy access, such as really poor passwords recorded in /etc/passwd
and (you guessed it!) unencrypted SSH keyfiles, which are often used by
idiots to access remote servers and such delightful sites as sourceforge CVS
source trees.

The checksum/change detection you describe is more correctly incorporated
into a distinct package, not the SSH server itself. I recommend "tripwire"
for its flexibility and common deployment in the Linux world, but there are
plenty of other such tools.