4

I'm a software engineer and I'm maintaining a product that allows a user to run commands and scripts on Linux servers via an SSH connection. We now need to extend this functionality onto Windows.

We have a working solution, using freeSSHd on the Windows server. We're able to connect via SSH and run commands. In order to allow us to run scripts, we need to transfer the script from the Linux web server onto the Windows server via SFTP. We then delete the script once it has run and we have the output.

My question is simple: I'm unfamiliar with SSH on Windows and I'm wondering if a user has SSH configured, how likely is it that they'll have SFTP disabled. I'm aware that SSH isn't standard on Windows and that a user would need to install their own SSH server (freeSSHd in my case). I'm also aware that SFTP is a "subset" of SSH and uses the same port with the same credentials. What I'm concerned about is that a user could refuse to enable SFTP (despite having SSH enabled), meaning that our "solution" won't work.

Basically, is there a precedent or accepted security standard on Windows that would mean that a user would refuse to enable SFTP for some valid, tangible reason, or is the fact that SSH is enabled sufficient to assume that there will be no issues enabling SFTP? Is there anything that would give a user grounds to refuse to enable SFTP despite having SSH installed and enabled?

Jeedee
  • 143
  • 1
  • 5
  • SSH and SFTP is not standard, so the user would have to install something. The defaults in place will be up to the program they use. – schroeder Jul 03 '15 at 17:39
  • @schroeder Yep, I'm aware of that. As I mentioned, I'd installed freeSSHd and I understand that I can enable/disable features as I like. What I'm asking is if a user decides to install an SSH server, is there any sort of security standard or best practice that would mean that they would refuse to enable SFTP? Basically, if they install an SSH server, is it reasonable to expect that they would also enable SFTP if required, or are there grounds for them to refuse to do this? I've updated the question to reflect this. – Jeedee Jul 03 '15 at 17:43
  • It is reasonable to expect the SSH tooling and assorted GNU gizmos installation process to be transparent to the user. SFTP is just a hack to transfer file using a non standard protocol and as such is indistinguishable from SSH without deep packet inspection. Definately not standard to allow one and block the other with Windows utilities provided by Microsoft. One thing to watch for would be dependencies to external protocol such as Bonjour but I don't think this is an issue for SSH. I used WinSCP.Net wrapper that calls the command line utility for SFTP with no issues. – user94592 Jul 03 '15 at 19:02

3 Answers3

9

Because SFTP runs over the same protocol as SSH, there is no valid technical reason to refuse to enable SFTP.

That said, there may be company policies that prevent this. There is a big difference between an SSH connection to issue commands, and an SFTP to transfer files. A company might accept the risk of allowing an approved account to access another machine, but might balk at the transfer of data.

So, technically, the risk is the same. Functionally, there is a big difference and an organization might have a policy against it.

This is the case in an area of my organization. We allow SSH to some servers, but no data transfer to/from those servers and have monitoring to ensure that the traffic flow stays below a certain threshold. Granted, it's a special case, but there's precedent.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks - this was my feeling before asking the question so your feedback is useful. My main concern was that there would be some sort of security best practise that would mean that SFTP would be disabled pretty much by default (despite SSH being enabled), but that doesn't seem to be the case (which is good). Rather, it appears likely that the availability of SFTP will be a matter for internal policies. That being the case, we can mitigate for this. Thanks again. – Jeedee Jul 06 '15 at 11:23
3

Microsoft is hoping to incorporate SSH:
Link

However, that has been attempted before and then fell by the wayside.

As for your question, there is no standard or overriding reason why a user might enable SSH but disable SFTP, but there can always be some reason to do so. For example, although deployed on Unix not Windows, I recently disabled the default SFTP on a server to instead install proftpd. Why? So that I could better control access and security of what users are able to do and to listen on a different port. So SSH is still running as always, I've simply redirected SFTP access elsewhere.

So you could very well find that someone has some type of specific reason to change their setup, but I would expect those to be the exceptions not the rule.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
MeepMeep
  • 31
  • 1
  • I was aware of the SSH/PowerShell information and we'll definitely be looking to leverage that once (if) it becomes available. I think that would be our primary method of communication, in fact. As you pointed out though, it's been tried before and nothing has happened and if anything does happen it'll be a while before anything is available, hence the research into alternative methods of running our scripts. Thanks for the other info, too. That's pretty much what I was thinking but it's good to have confirmation. Glad that there's no standard that would prohibit use of SFTP. – Jeedee Jul 06 '15 at 11:27
0

SFTP and other SSH solutions are not standard on Windows mainly because they are not standardized and properly documented in RFCs. Microsoft provides the bare minimum if any facilities to enable SSH. That said I had no issues using it with ported Penix utilities compiled with Cygwin. Just don't expect it to make it's way into official development framework from Microsoft.

The security model of Windows is users/admins are allowed to run the software they need. Neither policies or technical limitations will prevent use of SFTP.

user94592
  • 67
  • 3
  • 1
    How on earth did this get an upvote, since it's 100% wrong! Please read RFC 4251 through 4256 inclusive. – Michael Hampton Jul 04 '15 at 07:43
  • You are linking to SSH protocol RFC, these are properly documented and implemented in Windows. Where in these RFC are SFTP and other misc protocol over SSH documented? Questions ask specifically for SFTP. To my knowledge SFTP is not properly documented in RFC and the documents you link to doesn't seem disprove my point. – user94592 Jul 21 '15 at 20:13