June 23, 2007

Secure Catapult

Windows. Unix. Data.

Those are the basic ingredients in today’s recipe. Basic business
need: securely transport Data from Windows to Unix.

Let’s think about this for a moment: if we pull, how will we securely
transport? Should we install a SSH/SFTP server on the Windows computer? If we push,
how do we speak SSH/SFTP to the Unix daemon from Windows?

Secondly, how can this be automated so that we are not stuck in a
manual process?

Check this out. Here’s a solution I’ve used in the past with success.
It uses public key cryptography and SSH to achieve a scriptable, automated secure
transfer mechanism. Nothing novel here…just piecing together existing technology
really. But this has been quite effective for me since we’re not relying on the authentication
for security. Indeed, we simply need to provide secure transport and protect the data
in transit.

I think of it as catapulting data…and it is a push technique. In
this type of scenario, I hesitate to install any type of server on the Windows computer
since a) I know it already exists on the Unix side most likely and b) I do not typically
like to increase management overhead and adding any such server to the Windows computer
will most likely do so.

Here are the steps I’ve taken in the past to get this up and running.
Your mileage may vary depening on what versions may be running, etc. so don’t send
me hate mail if this doesn’t work out-of-the-box for you!

1. On the Windows computer, go download pscp.exe and puttygen.exe
from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

2.
Load puttygen.exe and generate your keys:

3. Now,
Copy and Paste the text here into a notepad file on my Windows box. I name the notepad
file something like “keys.txt”.

4. Then,
use pscp to copy the “keys.txt” over to the Unixcomputer. This will drop the keys.txt
into the users $HOME on the Unix computer.

pscp -sftp
c:keys.txt lt;usergt;@lt;target IP/Hostnamegt;:

5. Then
I export the private key in Puttygen. Don’t enter a passphrase here since we will
be scripting this and do not want an interactive transfer to take place.Puttygen
should complain; just select “Yes” and save the private key as “priv.ppk” or something
that makes sense to you.

>

6. Then,
on the Unix computerwe likely need tomake an “authorized_keys” file and
update the sshd_config. The
follwing commandsassume you arealready in the $HOME directory of the user
intended to be the account used for the scripted secure transfer)

mkdir
.ssh

cat
keys.txt gt; .ssh/authorized_keys

7. Finally, edit the /etc/ssh/sshd_config (your location may differ)
and enable (unremark) the following line. Thereafter, restart the SSH server. Of course,
you may need to be “root” to perform these two actions:

AuthorizedKeysFile %h/.ssh/authorized_keys

Okay, we have our secure transport setup. How do we use it?

Easy enough- on the Windows machine run the following:

pscp -sftp -batch -i c:priv.ppk c:lt;test.filegt;
lt;usergt;@lt;target IP/Hostnamegt;
:

So, you can stick the above syntax into a batch file and use a Scheduled Task
or whatever.

– Jason Pittman, M.S. Network Security