Secure FTP (SFTP) in Dreamweaver using SSH tunnelling – No shared keys

Print Friendly, PDF & Email

It’ a bit of a bugbear with many people that Adobe Dreamweaver CS3, CS4, and I think CS5, although supporting SFTP using password authentication, won’t work with SSH public/private keypairs. It’s far more secure to use SSH with a public/private key pair than with straightforward password authentication.

Why is SFTP important?

FTP is about as secure as SMTP email, or Telnet – i.e. every man and his dog can listen in and before you know it, your (not so) local porn pedlars have replaced your website with something sensational. It amazes me constantly that companies that install SSL certificates are happy for their web developers to connect to the web server using plain old FTP, often uploading files containing critical passwords to databases and other external systems.

Securing FTP using SSH tunneling

So, in order to encrypt the connection to the FTP service, we can use SFTP (Secure FTP). SFTP is actually part of the SSH Daemon and is an extension to the SSH 2 protocol, and should not be confused with other FTP Daemons that you may be running. On Cpanel servers, the accounts between the two are always synchronised, so you don’t have to worry about it.

Securing your SSH service

It really isn’t a good idea to leave your SSH service open to password authentication, as it is just one more route for brute force attacks. It also means that if someone can find out your password, then they can gain access to your server.

Using SSH with public/private key pairs is a far, far more sensible approach. Whether you secure your actual key with a passphrase or not, an attacker would still have to get a copy of your private keyfile in order to break into your server.

Configuring SSH for public/private key authentication and shutting off password authentication is pretty straightforward, but if you are unsure get help to avoid locking yourself out of your own server! Password authentication is disabled by making sure you have a line that reads:

PasswordAuthentication no

Setting up the tunnel

OK, we are going to use SSH to open a secure connection to the server, and then present the open end of the client pipe to the local machine. This can be done with the following command in a terminal session (assuming you are using Linux or a Mac – you can of course tunnel using PuTTY if you are using Windows):

ssh -f -N -L 2100:webserver.com:21 user@webserver.com

What we are saying here, is SSH to webserver.com, and pipe remote port 21 to local (-L) port 2100. Don’t send any commands (-N), and place SSH into the background (-f) if you want to leave the process running after you close the terminal window. Or leave off the -f and just Ctrl-Z and bg the job into the background.

Once the tunnel is set up (if you don’t use the -f switch, then the terminal session will just sit there until you kill it) you just use your FTP program on your own computer to connect to localhost on port 2100… you should find yourself being connected to the FTP service on your server!

In fact, this technique can be applied to access any insecure service on your server in a secure manner.

Tags: , ,

3 Responses to “Secure FTP (SFTP) in Dreamweaver using SSH tunnelling – No shared keys”