Secure FTP and OpenSSH with Windows Server 2003
Posted by walsh_r on 12 Oct 2007 at 09:19 pm | Tagged as: Backups, Encryption
Quite a few people have asked me how to configure a secure means of transferring backup data. This tutorial outlines how to set up a Secure-FTP server using OpenSSH to encrypt the data with Windows 2003 Server, and how to set up a remote location to automatically upload backup data to the Secure-FTP server. The following method will work for any type of data.
Required:
- OpenSSH for Windows
- SCP Client, I will use WINSCP in this demonstration
Background:
- Our Secure-FTP server will be set up on a Windows 2003 Server.
- Our remote client who will send back up data to the Secure-FTP Server will be set up on a Windows XP workstation.
Our first step is to set up the Windows 2003 Server as a Secure-FTP server by downloading and installing OpenSSH for Windows.
- Install the latest binary for Windows from the OpenSSH for Windows website. Be sure to install both the server and client components.
- Configure the SSH server.
- Open a command prompt window and navigate to c:\program files\openssh
- Create a group file
- mkgroup –l >> .\etc\group
- Add users and create a passwd file
- First create any user accounts locally on the Windows Server via computer management. They do not need to be members of the Administrators group, default group membership is fine. Once you’ve created the accounts locally, adding the account names to the passwd file will enable them to log on using SSH. Do so by entering the following command for each user you would like to add to the passwd file.
- mkpasswd –l –u username > > .\etc\passwd
Remember: the username above must be an existing windows login account.
- Create home directories for your user
- In the passwd file, you will notice that the user’s home directory is set as /home/username. Change the location by editing the passwd file with notepad or any other text editor. Only edit the second last entry (/home/username), by replacing it with any directory that you wish to act as that user’s home directory, using the following syntax:
- /cygdrive/c/path_to_the_folder
*cygdrive/c represents the c drive
**c:\temp\ would be /cygdrive/c/temp - ***c:\home\doe_j would be /cygdrive/c/home/doe_j
- /cygdrive/c/path_to_the_folder
- In the passwd file, you will notice that the user’s home directory is set as /home/username. Change the location by editing the passwd file with notepad or any other text editor. Only edit the second last entry (/home/username), by replacing it with any directory that you wish to act as that user’s home directory, using the following syntax:
- Reboot the server, and verify that the OpenSSH service is running.
Our second step is to set up Secure-FTP client software at the remote location, and automate the backup job. The steps below outline this process.
- Download and install WINSCP from the WINSCP website.
- Create an account on the Windows XP Workstation with Administrative privileges that a scheduled job can run as.
- Log into the Workstation as this account (you will only need to do this once).
- Create a stored session using the IP, port, username and password assigned for access to the Secure-FTP Server. This step is required to cache information about the connection on the client’s workstation. Without it, you cannot script automatic jobs with WINSCP to your Secure-FTP server. Connect to your stored session, then disconnect, and close WINSCP.
- Write your batch file to automate connecting / uploading backup data to your server.
- winscp /console /script=backup.txt
- Create backup.txt, and place it in the same directory as your batch file. backup.txt is outlined in the final section of this document.
- Schedule your batch file to run using Windows task scheduler, as the account you’ve created to run WINSCP jobs, at the desired times and frequencies.
The third and final step is to create the text file mentioned above, which will be called upon in the batch file scheduled to run automatically, and upload data from the client to the Secure-FTP server. This is merely an example of what you can do with WINSCP, more detailed documentation can be found on the WINSCP website.
Backup.txt
*Copy and paste the following code into backup.txt
# Automatically answer all prompts negatively not to stall
# the script on errors
option batch on
# Disable overwrite confirmations that conflict with the previous
option confirm off
# Connect using the username and password set up on the Secure-FTP Server, to the address of the Secure-FTP Server
# open user:password@example.com
open username:password@192.168.0.1
# Force binary mode transfer
option transfer binary
# Upload the backup data to current working directory
put c:\example\examplefile.txt
# Disconnect
close
# Exit WinSCP
exit
*End Code, do not copy and paste this line.
The Backup.txt script file is self explanatory. Insert the username and password of the account created on the Secure-FTP Server, and the address of the Secure-FTP Server. Also edit the path near the end of the script, to the local path and file name of the data you wish to upload from the WINSCP client. The script will open WINSCP, connect to the specified Secure-FTP Server, upload the data specified, disconnect, and close WINSCP.
Hi there,
The stuff about creating user accounts for FTP transfer was useful. Thanks
Abhijit
This was a helpful article. I couldn’t get the group and passwd settings clearly before.
Thanks!
how do you automate the keying in of the passphrase using scripting when using public key authentication?
Hi, you may want to try this: Run OpenSSH sshd on Windows without Cygwin.
Aw, this was a seriously top quality article. In theory I’d like to write like this also – getting time and real effort to make a great article… but what can I say… I procrastinate alot and never seem to obtain anything done… Regards…