Sending Files w/o Sending Clear Passwords? 151
Ambush_Bug asks: "I've done some googling around, but to no avail. I'm wondering if the Slashdot knows of a remote login protocol which exists in security space somewhere between ssh & rsh/ftp/telnet. Basically, the point is that I don't care if my data are encrypted, but I'd rather not send my password around as plaintext. I'm sending extremely large astronomical images which don't compress very well (noisy backgrounds...) and sftp is just too slow, but our sysadmin isn't fond of rcp, ftp and the like. Is there something in between?"
Push 'em. (Score:3, Informative)
SCP (Score:2, Informative)
Re:SCP (with -c none) (Score:3, Informative)
It isn't always enabled; your admin may have to set it up. Google around for the details.
One-time passwords (Score:4, Informative)
Look into libpam-opie on linux or s/key on the *BSDs for more info. Some good background is available from the FreeBSD manual:
http://www.freebsd.org/doc/en_US.ISO8859-1/book
It integrates well with most of the "basic" services on those OSes, so you shouldn't have much trouble getting it off the ground.
The one pain is that you have to look up a new password off of a card or piece of paper every time you log in. Alternately, some programs allow you to compute the OTP challenge/response on the fly (you could even write a script to help you out if you do this often enough).
Definitely worth a look...
Re:SCP (with -c none) (Score:2, Informative)
very simple - tunnel ftp over SSH (Score:4, Informative)
You just need to tunnel 21 through SSH, and leave 20 unecrypted.
Very simple technique, but very powerful. I use SSH tunneling everyday.
openssh supports tunneling and the windows downloadable form http://www.ssh.com also supports it. takes 3 mins to setup the tunnel.
Try a faster cipher (Score:5, Informative)
To tell sftp to tell ssh to use blowfish I believe you need "sftp -oCipher=blowfish"
SFTP slowness (Score:4, Informative)
There are a couple of other things that can slow SFTP and SCP down:
Apparantly, when using OpenSSH, you'll want to use the -B option to bump up the internal buffer size way beyond the 32768 byte default.
How about kerberos? (Score:4, Informative)
"Kerberos is a network authentication protocol created by MIT which uses symmetric key cryptography to authenticate users to network services -- eliminating the need to send passwords over the network. When users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted."
Just find yourself an FTP client and server that both support Kerberos. Here's a few links to get you started:
Kerberos section of the RedHat 9 manual:
http://www.redhat.com/docs/manuals/linux
Kerberos FAQ:
http://www.cmf.nrl.navy.mil/CCS/people/kenh
MIT Kerberos page:
http://web.mit.edu/kerberos/www/
Re:Try a faster cipher (Score:4, Informative)
I use scp, and so the command I issue is
scp -c blowfish SomeFile me@TargetHost:/somepath
On my 11Mb/s 802.11 network I am capped by bandwidth, not by CPU.
Use rsync direct over tcp (Score:2, Informative)
In this case you are using rsync directly over tcp/ip connections, sometimes called "daemon mode".
This mode features:
o high-strenght crytpo on passwords, but no encryption of data.
o passwords that are 100% independent of the system passwords.
o 100% streaming, even with large numbers of small files.
o restart of failed transfers where they left off.
o delta transfers for files where only parts change.
o optional gzip style compression.
o plus a lot more neat stuff.
Info on rsync is at:
http://rsync.samba.org
If you have a Linux system with xinetd or equivilent, there is a good change that you already have an
rsync directly on top of tcp/ip is how most "mirror sites" sync to their masters. It is about the only "practical" way to send gigabytes over the internet.
A couple of caveats. If stuff is twitchy, try to use the latest version of rsync (2.5.6) on both ends. Also, if you use the --compress option with already compressed (or encrypted data), there is a gziplib boundary bug. There are patches for this, but if you are sending uncompressable data, just leave off the --compress option.
Re:SCP (Score:1, Informative)
correcting mis-information, and a solution (Score:4, Informative)
Second, if you can afford some slowdown, use -c blowfish. The default is usually 3DES, which is incredibly slow. Blowfish is 11 times faster.
Finally, if you have some control over what applications are installed at each end, look into SafeTP [berkeley.edu]. It encrypts the password, but not the data. Exactly what you asked for.
Re:correcting mis-information, and a solution (Score:3, Informative)
So, -c none only with RSA authentication, please.
Re:OTP Calculators (Score:1, Informative)
STRIP [zetetic.net] will store your passwords and calculate OTPs too.