> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Daniel Fazekas > Sent: 24 August 2009 11:52 > To: [email protected] > Subject: Re: Need to use ftps (NOT sftp) on RHAS4 > > On Aug 24, 2009, at 11:19, MacIntyre, Ross A wrote: > > > Can someone tell me where I can get ftps, or how to enable another > > piece of software to use the ftps protocol? (Looking about I see > > that lftp is already on the machine[as is sftp] and the man page for > > lftp says that it supports the ftps protocol if it is compiled with > > the openssl library) > > Yes, either OpenSSL or GnuTLS will do. > The current Fedora packages of lftp are built with GnuTLS, I'd assume > RHEL is the same. > > If the server advertises TLS support, lftp will use it automatically > by default. > > You can force ssl support so that lftp doesn't try logging on if it's > not available: > set ftp:ssl-force true
First of all thanks for the reply Daniel. I have now got something working and it basically is a script that does this: HOST='ftps://remote_machine.com:990' /usr/bin/lftp << EOF open $HOST mirror -c . . quit EOF I also put these in .ftprc: set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-allow yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes My username and password are in ~/.netrc And when I run in debug mode, I see this at the beginning: WARNING: Certificate verification: self signed certificate And further down I see the username and password being exchanged So I guess it just uses the username and password that I supplied in ~/.netrc > > When it's not working, it will output an error message: > Login failed: ftp:ssl-force is set and server does not support or > allow SSL Since I don't get this error message can I assume that everything that is sent is encrypted? As you can guess I am fairly new to the ssl and certificates, but I need to be sure that the data I download is secure, so any help on this is hugely appreciated. One last question. Can I put the setting of these 6 ftp:ssl-* variables in the script itself? I would have thought so, but looking at the output in verbose mode doesn't tell me. Thanks again, Ross > > You should also check out "man lftp" regarding the other ftp:ssl and > ssl: options. > > In particular, you'll probably want to use "ssl:ca-file" and > "ssl:verify-certificate" options to properly verify the ssl > certificate on connection, to make sure that it's really your server > lftp is sending the password to. The encryption on its own doesn't > help much if you're communicating with a hijacked decoy server run by > a bad guy. :) -- Heriot-Watt University is a Scottish charity registered under charity number SC000278.
