# Secure way to transfer files?

## Cyberian-ZH

Hi,

I am a former FTP user.  But recently I been reading some articles and threads.  I noticed some users say transfering files via FTP is not very secure.

What are secure ways to transfer files?

----------

## adaptr

SCP or sftp, or even HTTPS if you can set it up.

----------

## tuxmin

Another option is webdav over SSL.

Alex!!!

----------

## j-m

You can use TLS or SSL for FTP transfers. Every decent client and server is able to handle that...

----------

## Cyberian-ZH

1. Which of the above is secure and friendly enough for a newbie like me to use?

2. Are these preinstalled in Gentoo?

3. Or I have snoop around?  Got any personal favourites?

----------

## Xaid

If you have ssh installed then you should be able to use scp/sftp to transfer files.

to use it, you can do:

```

sftp user@server-address

```

if you don't have ssh installed then you can emerge it by doing:

```

emerge openssh

```

then once you have it installed and ran the ssh server, you can emerge lftp  (has more options and a better interface imo) by doing:

```

emerge lftp

```

and connect to localhost to test it out by doing:

```

lftp -u user fish://localhost

```

there are other ways to do secure ftp but this is what I use usually.

(note: its kinda late here so there might be some typos   :Razz: )

----------

## Cyberian-ZH

Can I specify where the user can go when I give them SSH permission?  Or are they free to go anywhere in my computer?

And which router port do I have to open to get it to run properly?

----------

## Jengu

 *Cyberian-ZH wrote:*   

> Can I specify where the user can go when I give them SSH permission?  Or are they free to go anywhere in my computer?
> 
> And which router port do I have to open to get it to run properly?

 

They'll have all the powers they would if you logged in as that user. Which basically means they can only hurt what's in their home folder.

----------

## petu

 *Cyberian-ZH wrote:*   

> Hi,
> 
> I am a former FTP user.  But recently I been reading some articles and threads.  I noticed some users say transfering files via FTP is not very secure.
> 
> What are secure ways to transfer files?

 

FTP does not use anysort of encryption and therefore passwords can be easily sniffed with tools like tcpdump. This is bad especially if your data is valuable or ftp users also have shell accounts with the same user/pass.

However ftp is still a great way to share files to public anonymously because it's supported on 99% of web browsers and file managers and no-one can sniff anonymous passwords.

For secure file transfers sftp is a good choise but the downside is that AFAIK it does not have a free windows client. SSH communication's win32 client can be downloaded from http://www.ssh.com/products/tectia/client/

----------

## j-m

 *petu wrote:*   

> 
> 
> FTP does not use anysort of encryption and therefore passwords can be easily sniffed with tools like tcpdump. This is bad especially if your data is valuable or ftp users also have shell accounts with the same user/pass.
> 
> 

 

FTP can use SSL or TLS - read you favorite ftp server´s documentation. If it can´t do that, switch to another one...  :Smile: 

----------

## petu

 *j-m wrote:*   

> 
> 
> FTP can use SSL or TLS - read you favorite ftp server´s documentation. If it can´t do that, switch to another one... 

 

This was a surprice to me. Last time I checked this on proftpd's site they offered a dirty openssh portforwarding trick for transmitting passwords securely but data channel didn't have any encryption available a couple of years ago.

----------

## cselkirk

I wouldn't choose to use lftp if only because it doesn't support ssh keys and having to type a password on each connect is not my idea of ease. Certianly it's a more advanced client than sftp in terms of interactivity, but i'd stick with scp/sftp for the support of keys. That said, my advice would be to setup your ssh keys, there are various HOWTOs on seting up ssh/keychain (unfortunatly the link to the guide in the Gentoo Documentation seems to be broken) once you have passwordless login working with ssh it's fairly simple to transfer files, sync directories etc.

```
scp file user@host.tld:$1
```

or a whole directory structure:

```
scp -r directory user@host.tld:$1
```

or sync a local website to your remote webspace:

```
rsync -e ssh -av --delete ~/website/ user@host.tld:public_html/website
```

----------

## j-m

 *petu wrote:*   

>  *j-m wrote:*   
> 
> FTP can use SSL or TLS - read you favorite ftp server´s documentation. If it can´t do that, switch to another one...  
> 
> This was a surprice to me. Last time I checked this on proftpd's site they offered a dirty openssh portforwarding trick for transmitting passwords securely but data channel didn't have any encryption available a couple of years ago.

 

I am using glftpd and pureftpd - both have built-in SSL/TLS capabilities, even for FXP (site-to-site tranfers) if the remote server supports this. 

As for proftpd, I got rid of it after one hour as it was extremely slow, configuration is messy and features I needed were missing or buggy.   :Rolling Eyes: Last edited by j-m on Sat Feb 12, 2005 2:40 pm; edited 1 time in total

----------

## j-m

 *Jengu wrote:*   

>  *Cyberian-ZH wrote:*   Can I specify where the user can go when I give them SSH permission?  Or are they free to go anywhere in my computer?
> 
> And which router port do I have to open to get it to run properly? 
> 
> They'll have all the powers they would if you logged in as that user. Which basically means they can only hurt what's in their home folder.

 

If you want them chrooted and use SSH for file transfers only, then

```

emerge scponly

```

Copy all subdirectories in /home/scponly (except for /incoming) to users´homedirs.

Add /usr/sbin/scponlyc to /etc/shells

With vipw assign /usr/sbin/scponlyc as a shell to those users instead of /bin/bash.

Done. Enjoy. 

P.S. There is also /usr/bin/scponly which also limits SSH usage to file transfers only but does not chroot users to their homedir.

----------

## SnEptUne

 *petu wrote:*   

>  *Cyberian-ZH wrote:*   Hi,
> 
> I am a former FTP user.  But recently I been reading some articles and threads.  I noticed some users say transfering files via FTP is not very secure.
> 
> What are secure ways to transfer files? 
> ...

 

There is a GPL win32 client for SFTP.  It is called FileZilla.

----------

## jh294

 *Quote:*   

> There is a GPL win32 client for SFTP. It is called FileZilla.

 

Personally I would recommned the following for Windows:

1) Cygwin.  Basically a Unix environment in Windows.

2) PuTTY.  "You need Putty to make Windows work" Author Unknown.

----------

## Buzzz

 *SnEptUne wrote:*   

>  *petu wrote:*   
> 
> For secure file transfers sftp is a good choise but the downside is that AFAIK it does not have a free windows client. SSH communication's win32 client can be downloaded from http://www.ssh.com/products/tectia/client/ 
> 
> There is a GPL win32 client for SFTP.  It is called FileZilla.

 

WinSCP also works pretty nice imho (also open source)   :Smile: 

----------

