ClearFoundation

Hi,

In the process of getting functional FTPS I need to use SSL/TLS certificate with private keys. Any idea how to generate it from ClearOS ?

cheers

Haitham

Hi Haitham,

According to some of the people that tried, this could be a tricky thing, as you can see in this post and beyond:
how to generate certificates

What you mean with a functional SFTP / FTPS like you call it & SSL/TLS, I don't know.
I connect to my ClearOS box with WinSCP (SFTP) and PuTTy (SSL).

How to connect with WinSCP

How to connect with PuTTy

If this is not what you mean or it doesn't help, you can ignore it and wait for someone else to respond.

Greetings,

John

Hi John,

As far as I know protocol FTPS on port (990) is different from protocol SFTP on port (22)

check here

I noted that flexshares refers to FTPS that requires different certificate algorithm from SFTP !

however, I've tried both flavors of FTPing using different ports (22, 990, 2123 ) in combination with user's private key downloaded from ClearOS Security and keys page, still no luck.

Also tried WinSCP and it comes back with a message indicating that SFTP server is not running on my system (not sure if there is special setting for SFTP or FTPS on ClearOS !



appreciate your help ..

cheers

Hi Haitham,

You are welcome and as you noticed, I don't know everything but I learn a lot by trying so thanks for the info.

I am not going into the certificates issue, because I already gave you all the information that I know.

Check that the Core Services "Secure Shell" & "Gateway Services" are running.
Also I assumed that you are running the latest ClearOS 5.1 SP1, but if this is not the case please tell us.
Flexshares are AFAIK accessible true port 2121, but when browsing from a client (also with WinSCP (SFTP)), you should not get the message that you are reporting.

I hope this helps or at least points you in the right direction.

Greetings,

John

Haitham Isac wrote:
...it comes back with a message indicating that SFTP server is not running on my system...

You will find this very interesting.

Using WinSCP, I am able to connect to port 22 using the settings listed below.



There seems no problem when using "root" as the user. Now, using the same settings, I log in as myself (or any other user). Now I get the error message that Isac mentioned.



This leads me to believe that there MUST be a place where I can allow/disallow a user to connect via SFTP. I also found this post which confirms my theory.

We need a seasoned professional (PAGING Doctor Tim Burgess...) to give us the steps to add other users to have the ability to connect via SFTP.

Interesting. Using FTP with SSL or TLS Explicit allows me to connect, but doesn't pull up any data...

I enabled the Flexshare, forced SSL, changed the default port to 2112, and enabled the Flexshare. This is what I got:



In case there is any doubt about the FlexShare setup...

The acronyms are similar but entirely different, hopefully I can explain without confusing things (or myself!):-

SFTP is version 2 of the "SSH File Transfer Protocol" which can be used to connect via the SSH port (22). This by default in ClearOS is only available to the root account, unless you have given shell permissions for other users. That is why your other users cannot use this method. To give a user shell access see
www.clearfoundation.com/docs/howtos/addi...ll_access_for_a_user

FTPS is FTP protocol transmitted using SSL to encrypt the connection (and sometimes the data). In ClearOS the root account cannot access the FTP service, only permitted users as specified in the webconfig. This applies to Flexshares, or default FTP. So when you enable FTPS in the webconfig, the communication port changes to 2123 instead of 2121, and it uses SSL to transmit the communication. (By default FTP commands / passwords are all transmitted as plain text in the clear!)

To prevent connection issues using FTPS make sure you also open the passive port range, so that clients can connect back to the server for the data transmission (which happens over a random high port in the range specified).

Now on to WinSCP, to configure it for FTPS see the following, and the notes on 'explicit' or 'implicit'
winscp.net/eng/docs/ftps

Note that from my experience Filezilla makes a better FTP client than WinSCP, (not all are the same! and they all have their own quirks or commands, browsers are particularly bad). The FTP command restrictions on the base of a share mean that sometimes you can connect to ftp://mydomain.com:2121/flexshare but not ftp://mydomain.com:2121. This is down the limitations on FTP commands and how the client software interprets directories or files.

Hope that helps

That makes a lot of sense...of course I have to wonder why those choices were made. I presume for security. I am sure I will find out as I read on.

One of the reasons I am looking at creating a secure FTP connection is that I want to create a link between a piece of software and the server as a backup solution. The software I will be using is called Cobian Backup. It is a fantastic solution with scheduling and support for Volume Shadow Copies. Version 10 even has 64-bit support. No annoying Security Elevation request on Vista/7 either.

Would be amazingly great if we can get Cobian to work flawlessly with ClearOS.
-------------------- ADDED EDIT 201101311030 --------------------
Hmm...I think it is working. However, I am in the office on the LAN side of the ClearOS. When at home, I get errors. I suspect a Firewall problem?

The following ports are open (and I'd rather close as many of them as possible!):

FTP TCP 20
FTP TCP 21
Flexshare/FTP TCP 2121
Flexshare/FTPS TCP 2123
Passive FTP TCP 65000 : 65100

I've directed the data to the default of 2123. Although it is connecting, I am finding that it will not create directories using port 2123.

Couldn't create the remote directory "/Backups": /Backups: Permission denied

This does not occur when I use port 21. Any ideas?