Secure FTP - Ftps


Introduction
The Unix FTP service is available for offsite access from ftp.csc.liv.ac.uk with an FTP server that
supports Ftps (more commonly known as FTP over SSL). Login access to the service is via anonymous or
local user accounts.

A N N O U N C E : due to a change of policy by Computing Services the secure Unix FTP service will not be available externally after 08//2/12..

FTP facilitates bulk data; transfers by allowing recovery from aborted network connections.

Secure FTP should not be confused with SFTP file transfer via the SSH protocol; which uses encrypted
channels and public/private key authentication. See here for information about making SFTP encrypted file transfers.


Security
Access security is certificate based and encrypted transfers are made via the Secure Socket Layer or SSL - a unique
certificate identifies the departmental server. File transfers from your local account require
an SSL enabled FTP client. Authentication is via a password; which must always be sent over an encrypted connection.
Encryption of subsequent data listings and transfers depends upon negotiations between the client
and server.

N.b. if login authorisation consistently fails, try re-setting your Windows password; which
action will also update your password on the FTP server.

When connecting to the department from an external host you may encounter a warning from your client about
the server certificate authority not being trusted - to authenticate the identity
of the department's FTP server a client will need a copy of the LUCS certificate authority certificate - copies
may be obtained from lucsca@csc.liv.ac.uk .

Installing a CA certificate on a a Windows system is, usually, performed by their certificate wizard.
On Unix systems the directory to which which certificates should be copied varies according to the O.S. version
and local site policy. Example locations include:

/etc/pki/tls/certs

/opt/openssl/certs

To access our site a client does not need to identify itself with a client certificate.


FTP Clients
Due to University security policy the standard Unix ftp command may only be used for anonymous FTP access.

Various commercial SSL enabled products are available but only the freeware mentioned below
has been tested with our FTP server:

• CoreFTP Lite
  
  A Windows client available for download from Computer Services, though their
  notes only discuss making SSH connections. See here for an example SSL connection profile.
  
  

• lftp
  
  Standard on most Linux distributions and usually SSL enabled lftp has a shell-like command syntax
  that allows parallel command issue. See here for notes.
  
  

• cURL
  A command line tool for transfering files, over a variety of protocols (including Ftps), using a URL syntax.: curl is
  particularly suited for scripting and has been widely ported among Unix and Linux systems. See here for notes.
  
  
  

Server Notes
The current server policy does not enforce SSL session reuse when using SSL for data transfers or directory
listings; as this setting is not supported by some clients.

When setting up an FTP client be sure to specify "AUTH TLS" as the SSL mode of negotiation.
This is the recommended[1] way of doing things.

For help and advice about building and configuring FTP clients to work with our FTP server
please contact: d.j.nixon@csc.liv.ac.uk .


References

[1] Ftps - RFC4217 - state of play.