Password less FTP

0 votes
asked Apr 29, 2016 by vivekgvivi (150 points)

I want to know whether Rebex support Password less ftp through dot net.We want to grab files from a ftp server. Currently we are connecting to ftp server through command prompt by giving Username and password.This cmd file is triggered by an SSIS job. The new requirement suggests we have to connect ftp server with common shared key means we should not use any user specific password to connect ftp server.

Applies to: Rebex FTP/SSL

1 Answer

0 votes
answered May 2, 2016 by Lukas Pokorny (124,610 points)
selected May 3, 2016 by vivekgvivi
 
Best answer

I'm not quite sure what "common shared key" means, but FTP over TLS/SSL supports authentication using a client certificate that includes a public key and is associated with a private key that is kept secret by the client (it's not shared). Is this what you need?

In that case, if the client has already authenticated using a certificate when connecting to the FTP server, there are three possibilities on what the server requires next:

  1. The server still requires a valid username and password.
  2. The server requires the client to specify username and password, but accepts any values (Microsoft IIS FTP is an example of such server).
  3. The server does not require a username and password (Tumbleweed server is an example of this server).

In your case, either (2) or (3) seems to apply, which means the following code should get the client authenticated:

   // load the client certificate with a private key
   Certificate clientCert = Certificate.LoadDerWithKey("client.cer", "client.pri", "password");

   // alternatively, load the client certificate from a PFX/P12 file
   // Certificate clientCert = Certificate.LoadPfx("client.p12", "password");

   // build a full certificate chain from the client certificate
   CertificateChain clientChain = CertificateChain.BuildFrom(clientCert);

   // create an Ftp object
   using (var ftp = new Ftp())
   {
       // set up client certificate request handler
       ftp.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(clientChain);

       // connect to the server using explicit TLS/SSL mode
       ftp.Connect("server01", 21, SslMode.Explicit);

       // perform dummy authentication if needed
       if (!ftp.IsAuthenticated)
           ftp.Login("anyuser", "anypassword");

       // transfer some files
       ...

       // disconnect gracefully
       ftp.Disconnect();
   }

Instead of loading a certificate from a P12/PFX file or a CER/PRI pair, it's possible to use a certificate from Windows certificate store as well.

(Also, please note that many public FTP servers allow read-only password-less access through "anonymous" user name and "guest" password - see RFC 1635 for details. However, this most likely doesn't apply in your scenario.)

commented Jun 7, 2016 by vivekgvivi (150 points)
Thanks Lukas for your reply.

I would like to know the prerequisite to achieve as you mentioned above.  

Our server is a windows 7.

Do we need to get a  digitally signed certificate to apply in the server?

What are all the steps need to be followed If I buy a Rebex licensed version to achieve password less FTP.
commented Jun 8, 2016 by Lukas Pokorny (124,610 points)
Windows 7 comes with IIS 7.5 that contains version 7.5 of Microsoft's FTP server, which does support TLS/SSL. It requires a server certificate, which can either be self-signed, or signed by a trusted certification authority. To get started, a self-signed certificate is sufficient - you can replace it with a CA-signed certificate later.

Providing instructions for configuring TLS/SSL in third-party server is beyond the scope of Rebex support, but there are lot of resources on the Internet that deal with this:
http://www.iis.net/learn/publish/using-the-ftp-service/using-ftp-over-ssl-in-iis-7
http://www.iis.net/configreference/system.applicationhost/sites/site/ftpserver/security/authentication/clientcertauthentication
http://imviveka.github.io/2010/03/ftp-client-certificate-mapping

In general, you need to follow these steps for the server:
1. Set up an FTP server
2. Configure the server to enable TLS/SSL (requires a server certificate) with password-based authentication
3. Configure client certificate authentication (requires one or more client certificates) and disable password-based authentication (if needed)

For Rebex FTP/SSL, make sure that you are able to connect to the server after step (2) - use the code from http://www.rebex.net/ftp-ssl.net/features/connecting.aspx#connect-ssl (and possibly from http://www.rebex.net/ftp-ssl.net/features/tls-ssl.aspx#custom-certificate-validation when using self-signed certificates). Then, after step (3), try client certificate authentication - use the code from http://www.rebex.net/ftp-ssl.net/features/authentication.aspx#client-certificate

However, please note that MS FTP 7.5 most likely only supports client certificate authentication through Active Directory (not for stand-alone servers).
...