7. Secure File Transfer

 

There are three methods to do secure file transfer:  SCP2, SFTP2, and FTP over SSH2.  SCP2 and SFTP2 communicate with SSH2 for authentication and data transport (which includes encryption) to remote systems. An SCP1 server is provided for compatibility with OpenSSH SCP.

The following diagram illustrates the relationship among the client and server portions of an SCP2 or SFTP2 file transfer:      

SCP file transfers are different from FTP file transfers. With FTP a file can be transferred as ASCII, BINARY, RECORD, or in OpenVMS format (if MultiNet or TCPware is in use). In SCP the primary transfer format is BINARY. Also, the defined syntax for a file specification is UNIX syntax. Due to these restrictions, files that are transferred from dissimilar systems may or may not be useful. ASCII transfers are done by searching the transferred data for the specified newline sequence and making the specified substitution. Process Software has used methods available in the protocol to attempt to improve the chances that files will be useful upon transfer.

Process Software has used the defined extensions in the protocol to transfer information about the VMS file header characteristics such that when a file is transferred between two VMS systems running MultiNet v5.4 or higher, TCPware v5.9 or higher, and/or SSH for OpenVMS, the file header information will also be transferred and the file will have the same format on the destination system as it had on the source system. Also, when a text file is transferred to a non-VMS system, a method has been provided to convert those files that can be translated into a format that will be usable on the remote system. Files that are converted from non-VMS systems are stored as stream files on the VMS system, which provides compatibility for text files from those systems. Filenames are SRI encoded when files are stored on ODS-2 disks.

 

 

 


 

SCP2

Usage

SCP2 [qualifiers] [[user@]host[#port]::]file [[user@]host[#port]::]file

 

Note: The source and destination file specification must be quoted if they contain a user specification or a non-VMS file specification.

 

 

Qualifiers

 

Qualifier

Description

/ASCII[=convention]

The newline convention specified is the newline convention to use if a newline convention is not specified by the server. Allowed values: dos  (\r\n), mac  (\r) , unix  (\n ), vms  (\n ) , sftp  (\r\n). Default = unix.

/BATCH

Starts SSH2 in batch mode. Authentication must be possible without user interaction.

/BUFFER_SIZE=integer

Number of bytes of data to transfer in a buffer. Default is 7500. Minimum value is 512.

/CIPHER=(cipher1,…,cipher-n)

Selects an encryption algorithm(s).

/COMPRESS

Enables SSH data compression.

/CONCURRENT_REQUEST=integer

Number of concurrent read requests to post to the source file. Default is 4.

/DEBUG=level

Sets a debug level. (0-99)

/DIRECTORY

Forces the target to be a directory.

/HELP

Displays the help text.

/IDENTITY_FILE=file

Identifies the file for public key authentication.

/PORT=number

Tells the SCP2 client which port the SSHv2 server listens to on the remote machine.

/PRESERVE

Preserves file attributes and timestamps.

/NOPROGRESS

Does not show progress indicator.

/QUIET

Does not display any warning messages.

/RECURSIVE

Processes the entire directory tree.

/REMOVE

Removes the source files after copying.

/TRANSLATE_VMS=

(ALL, NONE, VARIABLE, FIXED, VFC)

Selects the VMS text files to be translated (default=ALL).

Note that /ASCII performs a similar function and may be supported in other SCP products.

/VERBOSE

Displays verbose debugging messages. Equal to "/debug=2".

/VERSION

Displays the version number only.

/VMS

Negotiates the ability to transfer VMS file information.

 

 

Note: /ASCII, /VMS and /TRANSLATE_VMS are mutually exclusive

 

 

File Specifications

The source and destination strings are changed to lowercase unless they are enclosed in quotes, in which case they are left the same. File specification must be in UNIX format for remote systems, unless the remote system is running TCPware 5.9 or higher, MultiNet 5.5 or higher, or SSH for OpenVMS; and  /VMS or /TRANSLATE_VMS (source files only) are used. UNIX format file specifications need to be enclosed in quotes (") if they contain the / character to prevent the DCL parsing routines from interpreting the string as a qualifier.

Qualifiers

/ASCII[=convention]

Uses the newline convention specified if the server does not specify a newline convention.

Available conventions are: dos  (\r\n), mac  (\r) , unix  (\n ), vms (\n ) , sftp (\r\n). Default = unix.

 

/BATCH

Starts the SSH2 client in BATCH mode. When SSH2 is running in BATCH mode it does not prompt for a password, so user authentication must be performed without user interaction.

 

/BUFFER_SIZE=integer

Number of bytes of data to transfer in a buffer. Default is 7500.

 

/CIPHER=(cipher,…,cipher-n)

Lets you select which SSH2 cipher to use.

 

/COMPRESS

Enables SSH2 data compression. This can be beneficial for large file transfers over slow links. The compression level is set by the client configuration file for SSH2.

 

/CONCURRENT_REQUEST=integer

Number of concurrent read requests to post to the source file. Default is 4.

 

/DEBUG

Enables debugging messages for SCP2 and SSH2. Higher numbers get more messages. The legal values are between 0 (none) and 99. Debugging for the SFTP2 server is enabled via the MULTINET_SSH_SFTP_SERVER_DEBUG logical.

 

/DIRECTORY

Informs SCP2 that the target specification should be a directory that the source file(s) will be put in.  This qualifier is necessary when using wildcards in the source file specification, or /RECURSIVE.

 

/HELP

Displays command qualifier list and parameter format.

 

/IDENTITY_FILE=file

Specifies the identity file that SSH2 should use for public key authentication.

 

/PORT=number

Specifies the port that SSH2 uses on the remote system. Note that if both the source and destination files are remote, this value is applied to both. If SSH2 is available on different ports on the two systems, then the #port method must be used.

 

/PRESERVE

Sets the Protection, Owner (UIC), and Modification dates on the target file to match that of the source file. The adjustment of timestamps for time zones is dependent upon the logical SYS$LOCALTIME being set correctly. This is defined automatically on OpenVMS versions 7+ and can be defined similarly on earlier versions of VMS. /PRESERVE is not very useful when the target machine is a VMS system as VMS does not provide runtime library calls for setting the file attributes (owner, protection) and timestamps. Note that the VMS modification date (not the creation date) is propagated to the remote system. When files are copied between two VMS systems and /VMS is used /PRESERVE is implied and the process of transferring VMS attributes preserves the information about the protection, dates, and file characteristics.

 

/NOPROGRESS

SCP2, by default, updates a progress line at regular intervals when it is run interactively to show how much of the file has been transferred. This qualifier disables the progress line.

 

/QUIET

Disables warning messages. Note that it does not disable warning messages from the SFTP2 server, which return on the error channel.

 

/RECURSIVE

Copies all of the files in the specified directory tree. Note that the top level directory on the local system is not created on the remote system. Only the most recent version is copied unless in VMS mode and the MULTINET_SFTP_VMS_ALL_VERSIONS logical is defined to be TRUE.

 

/REMOVE

Deletes the source files after they have been copied to the remote system.

 

/TRANSLATE_VMS

Translates VMS text files in the copying process to byte streams separated by linefeeds because the defined data transfer format for SCP2 is a binary stream of bytes.

/TRANSLATE_VMS is only applicable to the source specification. If a remote source file is specified, then that system must be running MultiNet 4.4 or higher, TCPware 5.6 or higher, or SSH for OpenVMS. If /TRANSLATE_VMS is specified with no value, then VARIABLE, FIXED, and VFC (Variable, Fixed Control) files are translated to stream linefeed files. If the value is NONE, no files are translated. VARIABLE, FIXED, and VFC can be combined in any manner. The SFTP2 server process uses the value of the logical MULTINET_SFTP_TRANSLATE_VMS_FILE_TYPES to determine which files should be translated automatically. This is a bit mask with bit 0 (1) = FIXED, bit 1 (2) = VARIABLE, and bit 2 (4) = VFC. These values can be combined into a number between 0 and 7 to control which files are translated.

 

Note: Due to the structure of the programs, the SCP2 program uses the MULTINET_SFTP_TRANSLATE_VMS_FILE_TYPES logical if the /TRANSLATE_VMS qualifier has not been specified.

 

 

/VERBOSE

Displays debugging messages that allow the user to see what command was used to start up SSH and other basic debugging information. Note that debugging information can interfere with the normal display of the progress line. Equivalent to /DEBUG=2.

 

/VERSION

Displays the version of the base SCP2 code.

 

/VMS

Transfers VMS file information similar to that transferred in OVMS mode in FTP such that VMS file structure can be preserved. All of the information transferred in FTP OVMS mode is transferred along with the file creation date and protection. Timestamps are not adjusted for time zone differences in VMS transfers. If the file is a contiguous file, and it is not possible to create the file contiguously, and the logical MULTINET_SFTP_FALLBACK_TO_CBT has the value of TRUE, the SFTP2 server attempts to create the file Contiguous, Best Try.

The logical name MULTINET_SCP2_VMS_MODE_BY_DEFAULT can be defined to TRUE to specify that /VMS should be the default unless /NOVMS or /TRANSLATE_VMS are specified. /VMS and /TRANSLATE_VMS cannot be used on the same command line. If /VMS is not specified, but the logical is set to enable it by default, a /TRANSLATE_VMS on the command line will take precedence.

Note that even though SCP2 and the SFTP2 server pass the request for VMS file transfers or to translate a VMS file in a manner that is consistent with the protocol specification, other implementations may not handle this information well. Since there is no error response present at that point in the protocol, the program hangs. To prevent it from hanging forever, the logical  MULTINET_SCP2_CONNECT_TIMEOUT is checked to see how long SCP2 should wait for a response when establishing the connection. The format for this logical is a VMS delta time. The default value is 2 minutes. If SCP2 times out before a connection is established with the SFTP2 server and /VMS or /TRANSLATE_VMS were specified, a warning message is displayed, and the initialization is tried again without the request for VMS information (or /TRANSLATE_VMS). This retry is also subject to the timeout, and if the timeout happens again, then SCP2 exits. This helps for implementations that ignore the initialization message when information they do not recognize is present; implementations that abort will cause SCP2 to exit immediately.

Logicals

For the following logicals, all that start MULTINET_SFTP apply to the SCP2 client, SFTP2 client and SFTP2 server.

 

MULTINET_SFTP_FALLBACK_TO_CBT

When defined to TRUE and a VMS file transfer is being performed, this logical creates a Contiguous file if that file has Contiguous characteristics. The file will be created as Contiguous Best Try if there is insufficient space to create it as Contiguous.

 

MULTINET_SFTP_TRANSLATE_VMS_FILE_TYPES

This is a bit mask that determines which VMS file types should be translated when not operating in VMS mode.

·         Bit 0 (1) = FIXED

·         Bit 1 (2) = VARIABLE

·         Bit 2 (4) = VFC

The values are:

·         0 (zero) = NONE

·         7 = ALL

Note that this logical affects SCP2 as well as the server, as SCP2 has the server built into it for handling local file access. If this logical is not defined, the value 7 will be used.

 

MULTINET_SCP2_CONNECT_TIMEOUT

This logical defines a number specifying how long SCP2 should wait for a response to the INITIALIZE command from the server program. This is a VMS delta time number. The default is 2 minutes.

 

MULTINET_SCP2_VMS_MODE_BY_DEFAULT

When defined to TRUE, this logical chooses the /VMS qualifier if /TRANSLATE_VMS or /NOVMS has not been specified.

 

MULTINET_SFTP_RETURN_ALQ

When defined to TRUE and files are being transferred in VMS mode, this logical includes the Allocation Quantity for the file in the file header information. This is disabled by default because copying a small file from a disk with a large cluster size to a disk with a small cluster size causes the file to be allocated with more space than necessary. You have the option of retaining the allocated size of a file if it was allocated the space for a reason. Some combinations of file characteristics require that the Allocation Quantity be included in the file attributes; this is handled by SCP2 or the SFTP2 server.

 

MULTINET_SSH_SCP_SERVER_DEBUG

Enables debugging messages for the SCP server that provides service to SCP commands that use the RCP over SSH2 protocol (OpenSSH). When this is defined, the file SCP-SERVER.LOG is created in the user’s login directory. These files are not purged. Larger values yield more debugging information.

 

MULTINET_SSH_SFTP_SERVER_DEBUG

Enables debugging messages for the SFTP2 server that provides service to SCP2 commands that use the SFTP protocol. When this is defined, the file SFTP-SERVER.LOG is created in the user’s login directory. These files are not purged. Larger values yield more debugging information

 

MULTINET_SFTP_MAXIMUM_PROTOCOL_VERSION

This logical can be used to limit the version of the SSH File Transfer Protocol that the SFTP client and server use.  This can sometimes provide a work-around for problems encountered with different implementations of the protocol.  The default value is 4.  Protocol versions 2 and 3 are also used by popular implementations.

 

MULTINET_SFTP_VMS_ALL_VERSIONS    

This logical controls whether all versions of a file are returned.  The value TRUE will cause all versions to be returned, any other value is to only return the name of the file without a version.  The default is to return only one filename without the version number.

 

MULTINET_SFTP_NEWLINE_STYLE

This logical controls the newline style that SFTP uses, which can be helpful in transferring text files.  The values are: UNIX <lf>, VMS <lf>, MAC <cr>.  If the logical is not defined, or defined to any other value, then <cr><lf> will be used for the text line separator as documented in the SSH File Transfer specification.

 

MULTINET_SFTP_CASE_INSENSITIVE

This logical causes SFTP to treat filenames in a case insensitive manner when it is defined to TRUE.

 

MULTINET_SFTP_ODS2_SRI_ENCODING

This logical controls whether SRI encoding is used for filenames on VMS ODS-2 disks.  If the logical is not defined, or is defined to TRUE then SRI encoding is used on ODS-2 disks for filenames that contain uppercase letters and special characters.

 

MULTINET_SFTP_FILE_ESTIMATE_THRESHOLD

This logical controls the minimum number of blocks that a text file must be for an estimated transfer size to be returned instead of an exact size.  The default is to estimate the transfer size for all text files.

 

MULTINET_SFTP_DEFAULT_FILE_TYPE_REGULAR

If this logical is defined to TRUE, then the SFTP server will use a default file type of REGULAR instead of UNKNOWN for OPEN operations.  This can correct problems with filenames without a . (dot) in them getting .dir added to them.  The filename will appear with a . at the end of the name in directory listings.

 

MULTINET_SFTP_username_CONTROL

This logical can be defined /SYSTEM  to any combination of NOLIST, NOREAD, NOWRITE, NODELETE, NORENAME, NOMKDIR, NORMDIR, to restrict operations for the username in the logical.  NOWRITE will disable PUT, DELETE, RENAME, MKDIR, RMDIR; NOREAD will disable GET and LIST.

 

MULTINET_SFTP_username_ROOT

This logical can be defined /SYSTEM to restrict the user to the directory path specified. Subdirectories below the specified directory are allowed.

 

SSH_SFTP_LOG_SEVERITY

This logical can be defined /SYSTEM to 20000 to log file transfers or 30000 to log all SFTP operations.

 

SSH2_SFTP_LOG_FACILITY

This logical must also be defined /SYSTEM to specify the logging class that is used with OPCOM. Values below 5 will use the network class; 5 will use OPER1, 6 will user OPER2, etc.  The maximum value that can be specified is 12, which will use OPER8.

 

MULTINET_SFTP_SEND_VENDOR_ID

If this logical is defined as FALSE, then the SFTP2 client will not send the extended command containing the vendor ID upon completion of version negotiation with the server.

 

 

 


 

SFTP2

File Specifications

File specification must be in UNIX format for remote systems, unless /VMS transfers are being used.

 

SFTP2 Command Syntax and Qualifiers

Usage

SFTP2 [qualifiers] [[user@]host[#port]]

If the username@ is included in the remote system specification, the specification must be enclosed in quotes.

 

Qualifiers

 

Qualifier

Description

/BATCHFILE=file_spec

Provides file with SFTP commands to be executed. Starts SSH2 in batch mode. Authentication must not require user interaction.

/BUFFER_SIZE=integer

Number of bytes of data to transfer in a buffer. Default is 7500.

/CIPHER=(cipher-1,…,cipher-n)

Selects encryption algorithm(s).

/COMPRESS

Enables SSH data compression.

/CONCURRENT_REQUEST=integer

Number of concurrent read requests to post to the source file.

Default is 4.

/DEBUG=level

Sets debug level (0-99).

/HELP

Displays help.

/MAC=(mac-1,…,mac-n)

Select MAC algorithm(s).

/NOPROGRESS

Do not show progress indicator.

/PORT

Tells SFTP2 which port the SSHD2 server is listening on.

/VERBOSE

Enables verbose mode debugging messages.

 

Equal to /debug=2. You can disable verbose mode by using debug disable.

/VERSION

Displays version number only.

/[NO]VMS

Negotiates ability to transfer VMS file information. VMS transfer mode will be automatically negotiated if SFTP2 detects that the server is capable of doing VMS transfers unless /NOVMS is specified.

 

 


 

SFTP2 Commands

 

SFTP2 Command

Description

ASCII [{-s | remote [local]}]

With -s option, shows current newline convention.  remote sets remote newline convention. local operates on local side, but is not as useful (the correct local newline convention is usually compiled in, so this is mainly for testing). You can set either of these to “ask”, which will cause sftp to prompt you for the newline convention when needed. With the exception of  the -s option, this command sets transfer mode to ascii.

 

Available conventions are dos, unix,

sftp, vms, or mac, using “\r\n”, “\n”,

“\r\n”, “\n” and “\r” as newlines, respectively.

 

Note that some implementations of SFTP

may check to see if a file can be transferred in ASCII mode before doing so, and return errors for files that cannot be transferred. SSH for OpenVMS, MultiNet, and TCPware make this check.

AUTO

Sets the transfer mode (ASCII or BINARY) to depend upon the extension of the file specification.

BINARY

Sets the transfer mode to be binary. (This is the default.)

BUFFERSIZE number

Sets the size of the buffer used for file transfer. A larger buffer size helps speed large transfers. Displays the current buffer size when no parameter is specified.

CD dirspec

Changes current directory on remote system. VMS file specifications may be used when operating in VMS mode. A logical name must include the trailing colon so that it can be recognized as such. SFTP from other vendors cannot use VMS specifications due to the way that SFTP works.

CHMOD [-R] mode file [file…]

Change the protection on a file or directory to the specified octal mode. (Unix values). 

 

-R recurses over directories.

CLOSE

Closes connection to the remote server.

DEBUG {disable | debug level}

Sets the debug level for SFTP2. It does not change the current debug level for SSH2 for an existing connection, but will be used with SSH2 for a new connection. With disable, this disables all debugging current sessions for SFTP2.

DELETE filespec

Removes the specified file from the remote system.

DIRECTORY [file | dirspec]

Displays the contents of the current directory or specified directory in VMS format when the transfer mode is VMS. File names are displayed as they would be with a DIR command from DCL.

EXIT

Exits SFTP client.

GET [-p] file1 [file2 …]

Retrieves the specified file(s) from the remote system and stores it in the current working directory on the local system. File names are case sensitive and in UNIX format. When operating in VMS mode, either UNIX or VMS-style file specifications can be used. Directories are recursively copied with their contents. Multiple files may be specified by separating the names with spaces.

 

If -p is specified, then SFTP attempts to preserve timestamps and access permissions.

 

Note that a target filename cannot be provided.

GETEXT

Displays the list of file extensions to use ASCII transfers when in AUTO mode. The initial value is txt,htm*,pl,php*

HELP

Displays help on commands.

LCD dirspec

Changes the current directory on the local system. VMS file specifications may be used when in VMS mode.

LCHMOD [-R] mode file [file…]

Change the protection on a file or directory on the local connection to the specified octal mode. (Unix values).  -R recurses over directories.

LCLOSE

Close the local connection.

LDELETE file

Removes the specified file from the local system. VMS file specifications may be used when in VMS mode.

LDIRECTORY [file | dirspec]

Displays the contents of the current directory for the local system in VMS format when the transfer mode is VMS. File names are displayed as they would be with a DIR command from DCL.

LLS [file | dirspec]

Displays the contents of the current directory or specified directory in UNIX format. Lists the names of files on the local server. For directories, contents are listed.

See LS for options and more details.

LLSROOTS

Like LSROOTS, but for the local side.

LMKDIR dirspec

Creates the specified directory on the local system.

LOCALOPEN {[user@host[#port] | -1}

Tries to connect the local side to the host host. If successful, LLS and friends will show the contents of the filesystem on that host. With the -l option, connects to the local filesystem (which doesn’t require a server). There is an implied LOCALOPEN -l when SFTP2 starts up.

 

Note that an implicit LOCALOPEN is done when SFTP2 starts, so the only time that a user needs to do a LOCALOPEN is when neither directory tree is immediately accessible. OPEN is the command that is generally used to establish the connection with the remote system.

 

LOPEN is a synonym for LOCALOPEN.

LPWD

Displays the current working directory on the local system.

LREADLINK path

Provided that path is a symbolic link, shows where the link is pointing to. This command is not supported for VMS servers.

LRENAME oldfile newfile

Renames a file on the local system.

LRM filespec

Removes the specified file from the local system. VMS file specifications may be used when in VMS mode.

LRMDIR dirspec

Deletes a directory on the local system.

LS [-R] [-l] [-S] [-r] [file …]

Displays the contents of the current directory or specified directory in UNIX format. Lists the names of files on the remote server. For directories, contents are listed. When the -R option is given, directory trees are listed recursively. (By default, subdirectories of the arguments are not visited.) When the -l option is given, permissions, owners, sizes, and modification times are also shown. When the -S options is specified sorting is based upon file size instead of alphabetically.

 

The -r option reverses the sort order. When no arguments are given, it assumes that the contents of the current working directory are being listed. Currently, the options -R and -l are mutually incompatible. LS will fill a screen with output, then wait for the user to decide if they want more or have seen enough.

LSROOTS

Displays the virtual roots of the server. This is a VMS-only extension to display the roots (devices) on the VMS system.

LSYMLINK targetpath linkpath

Like SYMLINK, but for the “local” side.

MGET [-p] file1 [file2…]

Retrieves multiple files from the remote system and stores them in the current working directory on the local system.

If -p is specified, then SFTP attempts to preserve timestamps and access permissions.

MKDIR dirspec

Creates the specified directory on the remote system.

MPUT [-p] file1 [file2…]

Stores multiple files in the current working directory on the remote system. File names are case-sensitive and in UNIX format. When operating in VMS mode, either UNIX or VMS-style file specifications can be used. Directories are recursively copied with their contents. Multiple files may be specified by separating the names with spaces.

If -p is specified, then SFTP attempts to preserve timestamps and access permissions.

OPEN {-1 | [user@]host[#port]}

Tries to connect to host. Or with the -l option, connects the remote side to the local filesystem (which doesn’t require a server).

PUT [-p] file1 [file2…]

Stores the specified file in the current working directory on the remote system. File names are case-sensitive and in UNIX format. When operating in VMS mode, either UNIX or VMS-style file specifications can be used. Directories are recursively copied with their contents. Multiple files may be specified by separating the names with spaces.

 

If -p is specified, then SFTP attempts to preserve timestamps and access permissions.

 

Note that a target filename cannot be provided.

PWD

Displays the current working directory on the remote system. Displayed in VMS format when in VMS mode; otherwise displayed in UNIX format.

QUIT

Exits the SFTP client.

READLINK targetpath linkpath

Provided that <path> is a symbolic link, shows where the link is pointing to. Not valid for VMS systems as VMS does not have symbolic links.

RECORD

Enters record transfer mode if the server supports Process Software’s record open.  The direction in which record transfer mode is possible will be displayed in response to this command.  In record transfer mode the source file is opened as binary records and the destination file is opened as binary.  This produces the same effect as MultiNet’s FTP server BINARY transfer when a BLOCK_SIZE has not been specified, and can be used to transfer a file that contains VMS records to a system that can only handle “flat” files.

RENAME oldfile newfile

Renames file on the remote system.

RM filespec

Removes the specified file from the remote system.

RMDIR dirspec

Deletes a directory on the remote system.

SETEXT ext1 [ext2 …]

Sets the list of file extensions to use ASCII transfers when in AUTO mode. Individual file extensions must be separated by spaces.

STATUS

Shows the transfer mode, remote server name, and remote server version. The current newline sequence is displayed if operating in ASCII or AUTO mode.

SYMLINK targetpath linkpath

Creates symbolic link  linkpath, which

will point to targetpath. Not valid for VMS servers as VMS does not have symbolic links.

VERBOSE

Enables verbose mode (identical to the /DEBUG=2 command-line option). You may later disable verbose mode with the command DEBUG DISABLE.

VMS

Sets the transfer mode to include VMS file information.

 

 

Logicals

The following logicals are specific to SFTP2:

 

MULTINET_SFTP_VMS_MODE_BY_DEFAULT

When defined to TRUE, this logical chooses the /VMS qualifier if /NOVMS has not been specified.

 

Configuration File Parameters

The system wide configuration file (SSH2_DIR:SSH2_CONFIG.) or the user’s configuration file (SYS$LOGIN:[.SSH2]SSH2_CONFIG.) can be used to specify the following parameters.  The user’s configuration file takes precedence over the system configuration file.

FilecopyMaxBuffers

This is equivalent to the /CONCURRENT_REQUEST qualifier on the SFTP2 or SCP2 command line.  The command line qualifier will supersede any value in the configuration file.

FilecopyMaxBuffersize

This is equivalent to the SFTP2 BUFFERSIZE command or the SCP2 /BUFFER_SIZE qualifier.  The command or qualifier takes precedence.

 

The system server configuration file (SSH2_DIR:SSHD2_CONFIG.) can include parameters to control which users can perform remove SSH commands (including SSH terminal sessions) as well as SFTP2 access:

Terminal.AllowUsers

Allow users in the specified list to create SSH2 terminals and do interactive commands

Terminal.DenyUsers

Prevent users in the specified list from creating SSH2 terminals and performing interactive commands.  The users can still use the SFTP2, SCP1 and public key servers.

Terminal.AllowGroups

Allow groups in the specified list to create SSH2 terminals and do interactive commands

Terminal.DenyGroups

Prevent groups in the specified list from creating SSH2 terminals and performing interactive commands.  The groups can still use the SFTP2, SCP1 and public key servers.

 

 

 

 

 

 

 

 


 

FTP over SSH

SSH2 can be used to set up port forwarding that can be used for FTP. This allows users to use the richness of the FTP command set to access files on a remote system and have their control and data information encrypted. The command format to set up the SSH port forwarding is:

$ ssh remote_host_name –

_$ /local_forward=(“ “ “ftp/forwarded_port_number:localhost:21” ” ”)

The usual SSH authentication mechanisms come into play, so there may be a request for a password and a terminal session is established to the remote host. As long as this terminal session is alive, other users on the local system can use FTP to access the remote system over an encrypted channel. The location of the quotes is important, as it is necessary to prevent DCL from interpreting the / in the local forwarding information as the start of a new qualifier, and SSH2 does not know or expect to find the ( ) around the forwarding information. Note that the localhost inside of the forwarding string is important, as it will make the connection to FTP on the remote system come from localhost, which will then allow FTP to open the data port.

When a user desires to use an encrypted FTP connection, the following sequence of commands would be issued:

SSH> PORT forward_port_number

SSH> OPEN LOCALHOST

 Normal FTP authentication takes place and multiple FTP sessions may use a single forwarded port. The FTP protocol filter in SSH2 scans the FTP command stream for the FTP PORT and PASV commands and their replies, and makes substitutions in these commands and replies to use a secure data stream through the SSH2 session that has been set up. This command will establish an encrypted FTP session with the remote host that the SSH connection is sent to.

To allow a single system to act as a gateway between two networks, add /ALLOW_REMOTE_CONNECT to the SSH command that initiates the connection.