Are OS provided FTP commands with PGP encrpytion enough?, File transfers, Windows, Unix

Posted on 2002-06-17
Last Modified: 2010-04-21
FTP command line versus other new methods. Strengths, weaknesses, risks, etc... Keeping costs in mind and using existing hardware without adding additional hardware

Our company performs FTP in several different departments from several different systems. Mostly Unix but a few Windows boxes.
We decided to step back and review all uses and then recommend a strategy.

Currently we are using the standard FTP commands that come with Unix and DOS to FTP.

-First we perform a PGP to encrypt a file.
-We then place the file on our server in the directory to where the external (outside the enterprise) would retrieve the file (they could drop off a file)

-When the person logs in they are to only a directory they have access to/
- They then perform a PUT or GET send/receive a file.

Instead: I suppose we could use an FTP Server with a certificate that would ensure a secure SSL connection. I think this secures the channel but not the data. We could uss SCP to something like that tht I do not fully understand.

Our goal is to make things simple, cost-effective, and minimize risk. We must be able to push files to other systems or have users retrieve files regardless of platform for the most part.

We have looked at a few products but always come back to -Why should we set up an additional server and ensure a user has a certain client (in the case of SSL and Certificates), if we can accomplish the same thing with locked down directories by userid???

*****While the above I described is not very techie, current, or robust, it does allow
people to perform "puts" and "gets" without running FTP software as a service at either end thus making life a little easier, easier to set up and troubleshoot.

I suppose we could get more complicated and talk about WEBDAV and such but not sure we need all of this.

We are ONLY allowing certain people to come through our firewall via IP address to "Get" items. To "Put" items we do not need any special rules in the firewall.

While this perhaps may be old school thinking-it is cheap, allows 2 way transfers, has PGP security (not the best but probablyy pretty good as the name implies)

We would like people to comment on the the above, shoot holes in it, risks we would incur, and perhaps present other very cost effective solutions-that have ease of installation.

However it is important that we can send AND receive. And we must be able to send and receive in an unattended manner (scheduled, batch type or scripted jobs)

Thanks< Peter
Question by:pacumming
  • 5
  • 4
  • 3
  • +1
LVL 51

Expert Comment

ID: 7083978
what is PGP encryption used for?
to secure the traffic, or to make shure that only authentificated/authorized persons can read the file?

If encryption is just to secure the transport, I suggest ssh/scp.
This requires a shd on your server, and a scp client. ssh/scp is in wide use on almost all platforms (including Windoze).
There are also some Java based clients which can be used via a java-capable web-browser, then you even don't need a ssh/scp client.
LVL 14

Expert Comment

ID: 7084081
This is a pretty difficult problem to solve.  PGP is pretty much dead now that NAI has killed the commercial version.  But there's really no replacement out there either.

"Secure" FTP could work, but it requires special client software.

Probably the best answer at this point is HTTP/S file uploads.

One product that supports this is Valicert, though there are also some Perl scripts floating around out there if you want to roll your own.
LVL 20

Expert Comment

ID: 7084292
The userid & password will be unencrypted, and so can be "snooped". I presume your external users only have ftp access and are chrooted to a subdirectory, so a hacker should only be able to trash files in that directory or fill the filesystem up.

I also assume that your firewall only allows incoming traffic on FTP ports. If not, consider creating a "DMZ" by placing the system outside your firewall and giving it its own (tighter) firewall between it and the outside world.
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

LVL 51

Expert Comment

ID: 7086201
> .. PGP is dead ..
.. and GnuPG does all the work now (and hopefully will be full compatible to ancient PGP soon)

Author Comment

ID: 7090746
We have a DMZ. Right now we would have outbound traffic only. I do worry about the password in clear text but is that really true and how much of a risk is it in reality?

Now we know how to do https and such. BUT the thhing we need is to be able to run in an unattended mode even with https---how can that be unattended? What packages allow a send and a receive assuming we had the server on our side?

Also when people mention to load ssh and scp and so on--we need a solution that is basically a package where we do not have to load various components and test them out.
UNLESS we were to stick with FTP and use the commercial version of PGP or some equivlanet encrpytion out there.

We would like some how to ascertain that the file has been picked up from our server or transmitted to the users box--but not sure the best way to do this.

Thanks for options for a newbie when it comes to Unix and such. I mainly deal with Windows and the Internet but have not played with unattended transfers and putting together protocols and things.

Thanks, Peter
LVL 51

Expert Comment

ID: 7090810
> we need a solution that is basically a package where we do not have to load various components and test them out.

You still have such packages: PGP and ftp.
So, why do you worry about using another one?
SSH is just *one* package and gives a solution for all your questions.

You still did not give an answer to my question:
    what is PGP encryption used for?

> .. ascertain that the file has been picked up from our server or transmitted ..
WHat exactly do you need?
  1) log entry that it was picked
  2) information that it was transfered
  3) varification that it was transfered correctly

1) is done by sshd automatically,
2) either needs manual interaction, or a script which sends confirmation somehow
3) somehow similar to 2)

> .. run in an unattended mode ..
see ssh
LVL 51

Expert Comment

ID: 7090815
oops, just another idea: rsync
soves the problem of verification and confirmation also
LVL 14

Expert Comment

ID: 7090881
Or at least rsync over SSH...

But, this assumes that both ends are *ix.

Meanwhile, as for FTP servers getting cracked because they send plaintext passwords, yes it is definitely possible for a determined attacker to do this (usually by infiltrating something else that can sniff the packets).

Whether the data is interesting enough for anyone to bother and how much you will lose if this does happen is something you have to answer.

For example, if this is (other people's) healthcare data or financial data, you're breaking the law if you don't encrypt the session.

If it's information about the strategic direction of your company, your competitors may be highly motivated to get a hold of it.

If it's graphics that another company is sending you that you'll use in a brochure you're printing that a human is going to look at (and therefore can see with their own eyes if the graphic looks sane), then I wouldn't worry about it.

Meanwhile.... as for automating HTTP/S transerfers... yes, there are tools to do this.  Commercial tools like Valicert, and non-commercial tools like the wget ( and winnie (aka wput -

Author Comment

ID: 7091117
Thanks. Lets put it this way. Perhaps you have answered it.
Is there a product that runs on Unix and Windows that will satify ALL of the following:
-file encryption or SSL (the channel)-do not want to VPN
-will allow sending data to another box
-will allow a sender to send data to us. Thus receipt of a file
-password is encrypted as opposed to plain text FTP
-can run in command line mode and be scheduled in a batch or script
-and does not take about 2-3-4 components to get it working.

Also what do you think the majority of people are doing now in terms of sending and receiving data outside of using a VAN solution such as GEIS?

What do you think the trend may be in the future?

Thanks, Peter
LVL 14

Accepted Solution

chris_calabrese earned 200 total points
ID: 7093034
Yes, the product is Valicert.

As for what most people ar doing, larger companies tend toward private networks (frame, VAN, or VPN), mid-size companies tend toward FTP with PGP, and small companies tend toward plain old FTP with no encryption.
LVL 51

Expert Comment

ID: 7093902
and again: answer to all last questions: SSH
(assuming that "file encryption" means "secrure encrypted chanel", 'cause this question from me is still unaswered)
LVL 14

Expert Comment

ID: 7093994
Oops, forgot about the SSH servers available for Windows these days.  That would work too.

Author Comment

ID: 7095794
Ahoffman, please write me an email at

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
FreeBSD on EC2 FreeBSD ( is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question