Does OpenSSH Automatically Encrypt All File Transfers Out Of The Box? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!How to put desired umask with SFTP?Options for an SFTP server on a Windows MachineSQL Server Column Level Encryption - Rotating KeysHow to specify file permission when putting a file using OpenSSH sftp commandDoes OpenSSH SFTP server use umask or preserve client side permissions after put command (chrooted environment)?How to detect or log interrupted uploads with OpenSSH SFTP server?Set Initial Remote Working Directory in SFTPLoad Balanced SFTP ServerNginx ciphers settingsHow to encrypt Samba traffic?
Estimated State payment too big --> money back; + 2018 Tax Reform
I'm having difficulty getting my players to do stuff in a sandbox campaign
Unable to start mainnet node docker container
Writing Thesis: Copying from published papers
Is above average number of years spent on PhD considered a red flag in future academia or industry positions?
How should I respond to a player wanting to catch a sword between their hands?
What's the point in a preamp?
Determine whether f is a function, an injection, a surjection
90's book, teen horror
How can I make names more distinctive without making them longer?
How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time
Simulating Exploding Dice
What is the order of Mitzvot in Rambam's Sefer Hamitzvot?
3 doors, three guards, one stone
Why does this iterative way of solving of equation work?
What loss function to use when labels are probabilities?
Can I throw a longsword at someone?
Choo-choo! Word trains
Replacing HDD with SSD; what about non-APFS/APFS?
No baking right
How do you clear the ApexPages.getMessages() collection in a test?
Fishing simulator
What do you call the holes in a flute?
Who can trigger ship-wide alerts in Star Trek?
Does OpenSSH Automatically Encrypt All File Transfers Out Of The Box?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!How to put desired umask with SFTP?Options for an SFTP server on a Windows MachineSQL Server Column Level Encryption - Rotating KeysHow to specify file permission when putting a file using OpenSSH sftp commandDoes OpenSSH SFTP server use umask or preserve client side permissions after put command (chrooted environment)?How to detect or log interrupted uploads with OpenSSH SFTP server?Set Initial Remote Working Directory in SFTPLoad Balanced SFTP ServerNginx ciphers settingsHow to encrypt Samba traffic?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Please help me dispel any confusion I may have about my Windows 2019 Server OpenSSH SFTP configuration. I've seen online that there are so many different ways to set this up and I'm trying to make heads or tails of it. I've currently got it working fine with username/password authentication against ActiveDirectory. My goal is to make SFTP use as simple as possible for my client users from their very first experience with it--while at the same time maintain a high degree of data security during file transfers by employing encryption.
Unfortunately, my experience with encryption is that I must create client certificates that have to be imported by client computers in order for data transmissions to be encrypted between them and my server. This is the case when I set up a VPN, for example. It's complicated.
Likewise, I thought I had to use the SSH keygen commands to create keys that I would then have to install on my client computers as well as on my server in order to enable OpenSSH's SFTP to safely encrypt file transfers. This makes the process somewhat tedious for my clients.
However, I am seeing now that upon initial login into my SFTP server, I get an interactive warning stating,
The authenticity of host 'blablabla.booboo.beep.haha.com
(xxx.xxx.xxx.xxx)' can't be established. ECDSA key fingerprint is
SHA256:XYZA3yyyyyGGGG/aaaaaYYYYYNosUXXXXGi/NNNNN1iE. Are you sure you
want to continue connecting (yes/no)?
If I say "yes", then I get,
Warning: Permanently added
'blablabla.booboo.beep.haha.com' (ECDSA) to the list of known
hosts.
Consequently, in my profile's .ssh folder, a known_hosts file gets a long random string appended to it which links back to my server name. That string isn't exactly the same as the interactive SFTP message I saw, but there must be some relation.
Does the above mean that some unique server key from my Windows 2019 OpenSSH installation has already been exchanged automatically with my Windows 10 client, thereby making it unnecessary for me to have to manually import any keys in either machine in order to encrypt the data transfers henceforth? That would be a sweet out-of-the-box experience!
If it's not so, then is there a way to get encryption to work with minimal effort (i.e., no additional steps required by client users other than establishing their SFTP session) and still prevent data snooping during file transfers?
For example, web servers can get a SSL/TLS certificate installed to secure and encrypt communications with web visitors, yet the web visitors usually don't have to consciously install any client side certificates for that to work. I understand those certificates are purchased by web hosts and can be automatically validated by any client web browser worldwide with trustworthy third-party sources.
Is such an easy-to-use scenario possible with SFTP, or are there any other easy alternatives that can keep my data transfers secure without having to complicate the initial client user setup?
sftp encryption
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
|
show 1 more comment
Please help me dispel any confusion I may have about my Windows 2019 Server OpenSSH SFTP configuration. I've seen online that there are so many different ways to set this up and I'm trying to make heads or tails of it. I've currently got it working fine with username/password authentication against ActiveDirectory. My goal is to make SFTP use as simple as possible for my client users from their very first experience with it--while at the same time maintain a high degree of data security during file transfers by employing encryption.
Unfortunately, my experience with encryption is that I must create client certificates that have to be imported by client computers in order for data transmissions to be encrypted between them and my server. This is the case when I set up a VPN, for example. It's complicated.
Likewise, I thought I had to use the SSH keygen commands to create keys that I would then have to install on my client computers as well as on my server in order to enable OpenSSH's SFTP to safely encrypt file transfers. This makes the process somewhat tedious for my clients.
However, I am seeing now that upon initial login into my SFTP server, I get an interactive warning stating,
The authenticity of host 'blablabla.booboo.beep.haha.com
(xxx.xxx.xxx.xxx)' can't be established. ECDSA key fingerprint is
SHA256:XYZA3yyyyyGGGG/aaaaaYYYYYNosUXXXXGi/NNNNN1iE. Are you sure you
want to continue connecting (yes/no)?
If I say "yes", then I get,
Warning: Permanently added
'blablabla.booboo.beep.haha.com' (ECDSA) to the list of known
hosts.
Consequently, in my profile's .ssh folder, a known_hosts file gets a long random string appended to it which links back to my server name. That string isn't exactly the same as the interactive SFTP message I saw, but there must be some relation.
Does the above mean that some unique server key from my Windows 2019 OpenSSH installation has already been exchanged automatically with my Windows 10 client, thereby making it unnecessary for me to have to manually import any keys in either machine in order to encrypt the data transfers henceforth? That would be a sweet out-of-the-box experience!
If it's not so, then is there a way to get encryption to work with minimal effort (i.e., no additional steps required by client users other than establishing their SFTP session) and still prevent data snooping during file transfers?
For example, web servers can get a SSL/TLS certificate installed to secure and encrypt communications with web visitors, yet the web visitors usually don't have to consciously install any client side certificates for that to work. I understand those certificates are purchased by web hosts and can be automatically validated by any client web browser worldwide with trustworthy third-party sources.
Is such an easy-to-use scenario possible with SFTP, or are there any other easy alternatives that can keep my data transfers secure without having to complicate the initial client user setup?
sftp encryption
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
The authenticity of host ... Are you sure you want to continue connecting (yes/no)?prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.
– HBruijn
Apr 9 at 23:30
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47
|
show 1 more comment
Please help me dispel any confusion I may have about my Windows 2019 Server OpenSSH SFTP configuration. I've seen online that there are so many different ways to set this up and I'm trying to make heads or tails of it. I've currently got it working fine with username/password authentication against ActiveDirectory. My goal is to make SFTP use as simple as possible for my client users from their very first experience with it--while at the same time maintain a high degree of data security during file transfers by employing encryption.
Unfortunately, my experience with encryption is that I must create client certificates that have to be imported by client computers in order for data transmissions to be encrypted between them and my server. This is the case when I set up a VPN, for example. It's complicated.
Likewise, I thought I had to use the SSH keygen commands to create keys that I would then have to install on my client computers as well as on my server in order to enable OpenSSH's SFTP to safely encrypt file transfers. This makes the process somewhat tedious for my clients.
However, I am seeing now that upon initial login into my SFTP server, I get an interactive warning stating,
The authenticity of host 'blablabla.booboo.beep.haha.com
(xxx.xxx.xxx.xxx)' can't be established. ECDSA key fingerprint is
SHA256:XYZA3yyyyyGGGG/aaaaaYYYYYNosUXXXXGi/NNNNN1iE. Are you sure you
want to continue connecting (yes/no)?
If I say "yes", then I get,
Warning: Permanently added
'blablabla.booboo.beep.haha.com' (ECDSA) to the list of known
hosts.
Consequently, in my profile's .ssh folder, a known_hosts file gets a long random string appended to it which links back to my server name. That string isn't exactly the same as the interactive SFTP message I saw, but there must be some relation.
Does the above mean that some unique server key from my Windows 2019 OpenSSH installation has already been exchanged automatically with my Windows 10 client, thereby making it unnecessary for me to have to manually import any keys in either machine in order to encrypt the data transfers henceforth? That would be a sweet out-of-the-box experience!
If it's not so, then is there a way to get encryption to work with minimal effort (i.e., no additional steps required by client users other than establishing their SFTP session) and still prevent data snooping during file transfers?
For example, web servers can get a SSL/TLS certificate installed to secure and encrypt communications with web visitors, yet the web visitors usually don't have to consciously install any client side certificates for that to work. I understand those certificates are purchased by web hosts and can be automatically validated by any client web browser worldwide with trustworthy third-party sources.
Is such an easy-to-use scenario possible with SFTP, or are there any other easy alternatives that can keep my data transfers secure without having to complicate the initial client user setup?
sftp encryption
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
Please help me dispel any confusion I may have about my Windows 2019 Server OpenSSH SFTP configuration. I've seen online that there are so many different ways to set this up and I'm trying to make heads or tails of it. I've currently got it working fine with username/password authentication against ActiveDirectory. My goal is to make SFTP use as simple as possible for my client users from their very first experience with it--while at the same time maintain a high degree of data security during file transfers by employing encryption.
Unfortunately, my experience with encryption is that I must create client certificates that have to be imported by client computers in order for data transmissions to be encrypted between them and my server. This is the case when I set up a VPN, for example. It's complicated.
Likewise, I thought I had to use the SSH keygen commands to create keys that I would then have to install on my client computers as well as on my server in order to enable OpenSSH's SFTP to safely encrypt file transfers. This makes the process somewhat tedious for my clients.
However, I am seeing now that upon initial login into my SFTP server, I get an interactive warning stating,
The authenticity of host 'blablabla.booboo.beep.haha.com
(xxx.xxx.xxx.xxx)' can't be established. ECDSA key fingerprint is
SHA256:XYZA3yyyyyGGGG/aaaaaYYYYYNosUXXXXGi/NNNNN1iE. Are you sure you
want to continue connecting (yes/no)?
If I say "yes", then I get,
Warning: Permanently added
'blablabla.booboo.beep.haha.com' (ECDSA) to the list of known
hosts.
Consequently, in my profile's .ssh folder, a known_hosts file gets a long random string appended to it which links back to my server name. That string isn't exactly the same as the interactive SFTP message I saw, but there must be some relation.
Does the above mean that some unique server key from my Windows 2019 OpenSSH installation has already been exchanged automatically with my Windows 10 client, thereby making it unnecessary for me to have to manually import any keys in either machine in order to encrypt the data transfers henceforth? That would be a sweet out-of-the-box experience!
If it's not so, then is there a way to get encryption to work with minimal effort (i.e., no additional steps required by client users other than establishing their SFTP session) and still prevent data snooping during file transfers?
For example, web servers can get a SSL/TLS certificate installed to secure and encrypt communications with web visitors, yet the web visitors usually don't have to consciously install any client side certificates for that to work. I understand those certificates are purchased by web hosts and can be automatically validated by any client web browser worldwide with trustworthy third-party sources.
Is such an easy-to-use scenario possible with SFTP, or are there any other easy alternatives that can keep my data transfers secure without having to complicate the initial client user setup?
sftp encryption
sftp encryption
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
edited Apr 9 at 23:28
ShieldOfSalvation
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
asked Apr 9 at 23:18
ShieldOfSalvationShieldOfSalvation
1247
1247
The authenticity of host ... Are you sure you want to continue connecting (yes/no)?prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.
– HBruijn
Apr 9 at 23:30
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47
|
show 1 more comment
The authenticity of host ... Are you sure you want to continue connecting (yes/no)?prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.
– HBruijn
Apr 9 at 23:30
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47
The authenticity of host ... Are you sure you want to continue connecting (yes/no)? prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.– HBruijn
Apr 9 at 23:30
The authenticity of host ... Are you sure you want to continue connecting (yes/no)? prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.– HBruijn
Apr 9 at 23:30
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47
|
show 1 more comment
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962330%2fdoes-openssh-automatically-encrypt-all-file-transfers-out-of-the-box%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962330%2fdoes-openssh-automatically-encrypt-all-file-transfers-out-of-the-box%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The authenticity of host ... Are you sure you want to continue connecting (yes/no)?prompt , followed by an answer of “yes” without further inspection of the fingerprint of the key- does not secure your users against “man in the middle” type of attacks but otherwise you get pretty good transport security and encryption.– HBruijn
Apr 9 at 23:30
So supposing I give my fingerprint detail in text form to my users to visually verify against what they see in the interactive warning, would that suffice? I suppose that's what the warning's cryptic information is intended to be used for. Are you saying that in fact, encryption is already active for my file transfers from here on?
– ShieldOfSalvation
Apr 9 at 23:33
Yes, inspect the fingerprint over a second independent channel (other options than manual exist with for instance instance tools.ietf.org/html/rfc4255) and if good then scp, sftp And ssh will be encrypted
– HBruijn
Apr 9 at 23:45
That's fantastic! I did follow your RFC link, but unfortunately Azure (my server host) does not currently support DNSSEC. This desired feature is gathering support though! (feedback.azure.com/forums/217313-networking/suggestions/…) For now, I guess it will have to be a manual verification.
– ShieldOfSalvation
Apr 9 at 23:52
Why not use something like FileZilla as the SFTP client? It would be much easier than the command line for the vast majority of users.
– Michael Hampton♦
Apr 10 at 0:47