A little help setting up for SSH keys and connecting via SSL/TLS connections for FTPS

Events happening in the community are now at Drupal community events on www.drupal.org.
tribe_of_dan's picture

This has been a little confusing to me. I've been doing transfers via SFTP instead. Can somebody run me through how to set this all up properly?

We recommend using SSH keys instead of password.

It is highly recommended you use only SSL/TLS connections for FTPS.
Compatible FTP-SSL/TLS clients are listed here:

http://omega8.cc/dev/ftp-tls.txt

I use FileZilla...

* FileZilla (Windows, OSX, Linux)
URL: http://filezilla-project.org/

SSL/TLS works. In the "Site details" dialog box, pick "FTP over TLS
(explicit encryption)" as the "Servertype".
Reported by Philip Hallstrom.

If we could create a step by step or link to a good step by step article it would be good to add to the wiki.

Comments

you should search on google

smira's picture

you should search on google for one of the countless guides on "ssh public key authentication"
basically the principle is this
- you generate an ssh key on your computer (in the form of 2 files one with the .pub ending for public the other without, these files usually live in the ~/.ssh folder)
- you upload your public key to the server in a predetermined location (usually ~/.ssh/authorized_keys)
that's it, next time you log into the server you won't have to enter a pw
make sure your ssh config file (located in /etc/ssh/sshd_config) has the following lines uncommented

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

at this point you could also uncomment
PasswordAuthentication no
which would deny regular password authentication completely.
of course the above modifications need to be made as root, and you will want to run /etc/init.d/ssh reload to enable the settings you changed.
I won't go anymore in depth for now b/c it's really simple. It's one of those things that's kind of foreign and scary at first but once you get it you'll be like "ohhhh, how did i live without this?" ... that's how it was for me ...
Hope this helps, have fun!
AquaticDisorder's picture

Concepts

This stuff is all new to me too so here's some notes on what i think I have understood so far, I think that instruction might mean use sftp or ftps instead of standard unencrypted ftp, which you already are by the looks of it tribe_of_dan.

I tend to think of it as running the ssh-keygen command on my local machine provides a key and a lock (I'm lazy and don't use the -t rsa argument as rsa is the default anyway, and I don't add a password I just press enter twice and leave it blank, adding a password ensures that if somebody should get hold of your key they still need your password to use it).

* - id_rsa (key - Only exists once on local machine /home/myuser/.ssh/id_rsa)
* id_rsa.pub (lock - Which is found on my local machine in /home/myuser/.ssh/id_rsa.pub, the actual content of which is what goes into the /var/aegir/.ssh/authorized_keys and /home/myuser/.ssh/authorized_keys files on my server)

I believe it is possible to use multiple keys and locks in the correct files however, the lock supposedly cannot be reversed engineered to find the key so, I KISS (b/c I am stupid) and use the same lock in different places, above you can see I am using the same lock to log in as the aegir user as I am for logging in as myuser, another e.g would be as follows, I use the same lock (id_rsa.pub) again for github as I do on my development server and therefor the same key (id_rsa), which still only exists once in /home/myuser/.ssh/id_rsa. (on my local machine)

I tend to think of the authorized_keys file as a door, it can have many locks but, you only need a key for one of the locks to be able to open the door.

As you can see then on my development server, I create and add my own user to the sudoers file to replace the root user login, I use the same lock for my own user which I create for carrying out day to day admin to replace root and the aegir system user which I gave a shell using the
* chsh -s /bin/bash aegir (Which is detailed here, notice also the requirement of logging in with the command line once so that an entry is made in the known_hosts file),
this allows me to easily access my server as the aegir user or my own user, from my own user account on my local machine (note: I don't need an aegir user on my local machine for this to work).

So where does Linux come into it?

Recently I discovered the short comings of shared hosting and realized Drupal is best run on a VPS and Linux, I decided to switch my O/S over so as to gain some experience prior to taking on a vps and the bill which results!
So I use Kubuntu (a linux distro which kicks ass) on my desktop.
I am then, using the same ext3 file-system type as my server instead of ntfs used by windows, this increased compatibility can't hurt and is why I don't even need separate programs like putty or filezilla, I have the linux command line at my disposal and I have dolphin (equivalent of windoze explorer), dolphin has built in sftp capability which allows me to add my server as a network location using ssh, I just choose ssh enter a name for the connection, the name of the user I want to be logged in as on the server, the server ip and ssh port number, and the directory on the server to use, e.g I use /var/aegir for my aegir user login to start in.

So once I have my ssh keys setup and I've added the server as a network location I add that to "my places".
Then I add an activity (activities=desktops in kubuntu) to my local machine called something like "server-live-view" (not really "KISS" compliant, but I like to keep things seperate).
From this point I can view my server as the aegir user as if it was a directory on my local machine, so next I add a folder view to the desktop of my "server-live-view" activity and set it to my new network location place i.e /var/aegir.

As smirro2000 states once you know your ssh-key login is working you can disble password authentication to stop anybody guessing at your password, I also add myuser to the aegir group so I can access aegir directories etc without having to switch to the aegir user but that's another story and not without it's own caveats!

The main reason I setup like this is that - I am accustomed to a gui, this setup helps me to visualize what's going on, the main thing I use it for is to "view" directories and files on my server.
I can open server files to edit in my text editor and create or drag and drop files etc straight into directories on my server and all as the aegir user, I just keep a close eye on owners and permissions when doing so.

Disclaimer

As I said I'm new to Linux sys-admin and completely unqualified, I am learning as I go and it is entirely possible for me to be wrong (ADis goes red) and highly likely I veer away from best practice at times, also I have never used a mac but as I understand it mac O/S is unix based and therefor may offer some or all of these capabilities that kubuntu does, the only problem for "me" is macs cost $$$, especially here in "Rip-off Britain", besides which it's propriety software and I have limited resources at my disposal and also I am very tight hehe.
This is just my two cents and how I do ssh and sftp, so please don't just take my word for it and good luck >=)

BOA

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: