Secure (encrypted) FTP utility
»  Home

» Software
» Papers & Training
» Java
Current version: A.06

We have a white paper (doc) (pdf) which describes how to increase FTP security by using the new features in FTP/iX. The encrypted FTP script (SFTPPUT) homed here is a piece of the security puzzle. SFTPPUT is available in a tarball, which also contains the POSIX crypt program (as an NM program file, NMPRG). The script is also downloadable as a plain text file. Crypt is also separately available here.

SFTPPUT transfers one or more files from an MPE/iX system to a remote MPE, HP-UX, Linux, or Windows system. Typically the files are encrypted via the POSIX crypt utility. The remote system must support the same encryption algorithm in order to decrypt the file. More info can be found on crypt in the HP-UX man pages, or via the HP "docs" site at: docs.hp.com/en/B3921-90010/crypt. When the remote system is MPE/iX this script will attempt to automatically decrypt the file by streaming a job on the remote system via FTP's site stream command.

SFTPPUT supports 7 parameters. The first parameter names the file to be transferred (wildcards supported), or is an indirect file (^filename). The second parameter is the name or IP address of the remote system. The first two parameters are required and the remaining 5 are optional. Online help text and a description of all of the parameters are displayed when the script is executed without any parameter values, e.g., :sftpput

NETRC considerations:

The SFTPPUT script is aware of the existence of the NETRC file. NETRC contains entries consisting of machine names and their corresponding user logon ID and passwords. FTP defers to the netrc logon information if it finds a matching machine name in the file. NETRC should be protected from non-privileged users since it contains passwords. A way to do this is to grant eXecute-only access to those users with a need to use it, and deny all other access to everyone else via the ALTSEC command.

When NETRC is used, FTP/iX ignores user name and passwords, even when supplied via the 3rd parameter of this script. However, SFTPPUT may need to create a job which logs on to the remote system (in order to decrypt the file), and, in general, SFTPPUT will not have read access to NETRC. There are more detailed notes in the script, but when the NETRC FTP logon differs from the local user's username.account, it is recommended to specify the 'remoteUser' parameter (3rd parm).

Debugging:

If something goes wrong, or if you just want to see more details as the script executes, set the variable _SFTP_DEBUG to TRUE prior to invoking the script, e.g.: 
   :setvar _sftp_debug true
In debug mode SFTPPUT displays additional information about each task it performs, and it preserves all of the intermediate TEMP files and all of the variables used by the script.

Files that may be useful to examine are:
  • FTPLIST - FTP/iX's $stdlist output file
  • FTPIN - the $stdin file generated by SFTPPUT as input for FTP
  • JDECRYPT - the stream job file (JCL) created by SFTPPUT to be executed on remote MPE systems for all files which have been encrypted.
  • FLIST - the output of :listfile fileSetParm which contains the file(s) being transferred
  • filename.enc - the encrypted version of the file being transferred
  • filename.key contains the key used by crypt and needed to decrypt the file.
All of the above files are temporary MPE files but some have POSIX names. The best way to see all of the temp files used by SFTPPUT is: 
   :listfile ./@;temp

Decrypting on Unix:

Here's a simple shell script to make it easier to decrypt files sent to a Unix system, assuming that system supports the POSIX crypt program. Thanks to donna -- the queen of MPE...

Examples:

  • Example 1 - FTP a file from the local 3000 to another 3000, file is encrypted and automatically decrypted on the remote system. The spoolfile from the remote system is also shown.
  • Example 2 - Example 1 in debug mode.
  • Example 3 - FTP a file from the local 3000 to an HP-UX machine. The password for the HP-UX system is supplied in the 'remoteuser' parm. Note the file needs to be manually decrypted, which is shown. Still in debug mode.
  • Example 4 - Example 1, still in debug mode, but with netrc in effect. Note the absence of the 'remoteuser' parm and the 'remoteDir' parm from example 1. In this example, the file is transferred to the home group for the user shown in the netrc file.
  • Example 5 - Example 4 but not in debug mode.

Instructions:

  • The easiest method to get SFTPPUT to your 3000 is to click on the link to display the script.
    • select Edit->Select All (or cntl-A),
    • select Edit->Copy (or cntl-C),
    • paste into a 3000 editor which accepts multi-line input, such as HPEDIT, vi, QEDIT (Note: EDIT/3000 seems to loose records even after adjusting length and width to 80 bytes),
    • keep as an unnumbered fixed-ASCII, 80 byte width file.
    If you also need crypt, it can be found here, as a tarball . Tar is used to preserve the MPEness of the file, such as filecode, record width etc.

  • Or, to get both SFTPPUT and CRYPT at the same time, download the tarball, sftpput.tar. This file contains SFTPPUT as a fixed, ASCII record oriented file, and the POSIX crypt program file. Depending on your browser, either click the tarball link above, or right-click "save-as" to download the tar file to your desktop.

    The next step is to upload the tarball to your 3000. This step typically causes the most problems. It is very important to use a byte-by-byte transfer method, such as Reflection's FTP's tenex, or MPE's bytestream modes.

    Once the tarball is on your 3000 (any group is ok) run the shell (:sh, if you have the POSIX system-wide UDCs enabled), or :xeq sh.hpbin.sys -L, and enter: 
       $tar xvf sfttput.tar
    Alternatively, from the CI you can enter: 
       :xeq tar.hpbin.sys "xvf sftpput.tar"
    This extracts the SFTPPUT and CRYPT files, (please ignore the tar UID/GID messages), and they are ready to be renamed to the appropriate group on your 3000. CRYPT should be renamed into the HPBIN.SYS group, if possible.

  • Or, if you already have the crypt program and can work with bytestream files, you may wish to download only the script as sftpput.txt. If you click this link you'll likely need to select a "save-as" option under the File menu. Or, you can right-click the above link and save the link to your desktop.

    From your desktop the sftpput.txt file needs to be transferred to your 3000. FTP ASCII mode usually works, but if it doesn't try tenex mode or bytestream modes. Once on the 3000 you can rename the script to SFTPPUT, eg: 
       :rename ./sftpput.txt, SFTPPUT
    Also, you'll get slightly better performance if the file is fixed ASCII, so the frombyte POSIX utility may need to be run.
    last updated: 2007-05-16
    • Top    JazzInfo    Hosted by 3kRanger.com    email 3kRanger    Updated