Creating an FTP script to move a file with specifying domain account credentials. Certificates the asnwer?

What are the security requirements for logging in?  If it is just that they cannot be passed in clear text this should be fairly easy - FTPS (FTP over SSL) - this will use a standard server certificate.  Take a look at filezilla for client and server it works okay (I don't think any of them are really all that great yet for functionality, but they are functional and secure).  When you assign the cert to the server (if using an issued cert instead of self-signed then convert to PEM format using OpenSSL) then export it wihtout private key to copy to clients in the directory where you installed the executable to in order to 'import' it...

You can also try IIS7 if you have 2008...
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/


If you are looking for certificate logon for FTP then you might want to look for one that supports client certificate mapping.  

The last concept you could look into is "SFTP" (FTP over SSH) - for this you can establish a secure shell and then use that for your FTP stuff.  I haven't gotten aroudn to testing this out yet, but I understand not as many products support it but I believe PuTTY does which is a long established decent SSH program that is opensource /free that I would recommend anyways.

We cannot trasmit the password in clear text or hard code the password anywhere. What do you suggest then?

Um.

So you want to create a script to log into FTP that doesn't supply the password at all - I would assume this would include both the FTP password and a password for the private key of a user certificate...  

What if the script called a file that was stored in encrypted format under the script user's context (i.e. the user account the script uses has an EFS certificate or something similar that won't prompt for a pin, and is then used to decrypt a password file for either FTP session or certificate PIN)?

That's about all I got from my understanding of your requirements... Might see if you can request attention to add to 2 more programming zones...

is sftp an option? please see:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

You would still need to connect to the sftp which would require a password.  I suppose you could use putty to store the password for the SSH session, if that is acceptable.

My security team has recommeneded using self signed certificates. Is this viable? or do they not have any idea what they are talking about.

What about using a private/public key method. We have tested this here and it seems to work pretty good. Unfortunately if you passphrase the key then you have to load the passphrase everytime you reboot. Does anyone know a way around this?

then we are back to the same circumstnace where I am hardcoding a password/passphrase, which I am sure won't fly with the security team. If I used hte private/public key without a passphrase then anyone can grab the file and use it. just like a password.

Any other suggestions?

We ended up going with a priv/pub RSA key authentication which we opt not to password protect. This seems to do the trick and our information secuity office is ok with it