Why Do I Need SFTP?
Secure File Transfer Protocol (SFTP) is used by more and more Cisco Unified Communications (UC) applications for moving files to/from the UC host. The Cisco Disaster Recovery Service (previously known as BARS), CDR management, CLI “file get” commands, software upgrade interfaces, etc. can all use SFTP. Some of these can also use standard FTP for moving files from the Cisco UC appliance to an offbox location. NetCraftsmen recommends not using FTP as it sends passwords in clear text and may also pose problems with existing firewall/ACL configurations. Basically, if you have an option to provide better security, why not take it?
What SFTP Solution Does Cisco Recommend?
Good question, you will find various recommendations from Cisco but they generally do not provide support for your SFTP server/service. So, keep that in mind. Typically, you will find the following products listed in Cisco installation guides:
- Open SSH (typically available on *nix systems like Mac OS, for Windows systems: http://sshwindows.sourceforge.net/)
- Cygwin (http://www.cygwin.com/)
- Titan (http://www.titanftp.com/)
I haven’t messed around with Open SSH for windows myself, but I have used/tested Cygwin, Titan, freeFTPd, and fileZilla. Titan was fine but it isn’t a free software application. The freeFTPd application worked as well, but I had issues with stability on my laptop so I stopped using it. I personally find Cygwin a tad annoying but it works OK. In fact, copSSH (the topic of this blog) is a port of openSSH compiled for Cygwin. So, you could say copSSH falls in the list of recommended solutions from Cisco.
You can get copSSH from ITeF!x (http://www.itefix.no/i2/software). I have tested with the copSSH installer version 2.0.1 and 2.1.1 (the latest at the time of this writing). I have used the tool on Windows XP and Windows Server 2003. I have not had too many issues with the utility. At one point in time I had a problem uninstalling the application and had to go into the registery to clean up a few things. But I have found the user forums on the ITeF!x site to be pretty helpful.
The copSSH application installs as a service (copSSHd) on Windows , which gives it a distinct advantage over a lot of other freeware SFTP solutions. It is also very easy to provision the service. After installing the copSSH application, you can go to Start>copSSH>Activate a User to select a local Windows or Domain user account to activate for copSSH access. Local user accounts are provided in a handy drop down list. For Domain user accounts, you will need to use the convention to add the user.
When a user is activated, they can connect to your “SFTP” server user their local Windows or AD Domain credentials.
One thing you need to keep in mind is the directory structure. If you install copSSH in the “c:/program files/copssh/ICW” directory, then the root of your cygwin shell will start from the install point. Meaning the cygwin root (“/”) is actually “c:program files/copssh/ICW”
We all have preferences, and I am a member of the “we all” group. The following is how I like to configure my copSSH deployments:
- I like to install copSSH in a directory off of the root of my data partition. So, if my data drive is D:, I like to install copSSH in the d:copssh folder.
- Often, I like to keep installation files in a different directory structure than the copSSH installation path. Therefore, I will create a symbolic link in the cygwin shell:
- Click on Start..Program Files..Copssh..Start Bash Shell
- In the bash shell, enter the command: “cd /”
- Create the symbolic link: “ln -s “/cygdrive/d/data/installfiles/” “installfiles”
- I also like to store backups and CDRs from the CUCM/Unity/CUPS/etc. servers in a separate folder structure. To do this, you can create more symbolic links.
The symbolic link syntax is straight forward. The /cygdrive/d/ in the examples points to the actual root of the D: drive in Windows. Just like /cygdrive/c/ points to the C: drive and /cygdrive/e/ points to the E: drive, etc.
To lockdown things on the system, I first recommend using SSH version 2. You can accomplish this by configuring the sshd_config file (i.e. “c:/copssh/etc/sshd_config”). I would use a program like notepad++ to do the edit myself. You can use wordpad as well.
In the sshd_config file, add the line: Protocol 2 in the config file. This will force protocol version 2. You can also modify other parameters:
PasswordAuthentication no /*this disables tunneling clear text passwords*/
DenyUsers Administrator Guest Root
A decent recommendation on configuring the sshd_config file is available here.
In addition to configuring the sshd_config file, you should also make sure that you apply appropriate NTFS permissions on your Windows system to restrict access. From an ITeF!x FAQ:
- Create a local Windows permissions group (example copsshdUsers)
- Deny access to all folders for the copsshdUsers:
c:>cacls c: /c /e /t /d copsshdUsers
- Now, you can go to individual folders that you want to allow access permissions (using the security tab on the said folder). Remove the “Deny” permission setting and replace with the permissions you wish to allow
- Add copssh users to the copsshdUsers group (assuming that you are creating users *just* for copssh access)
- Activate the user
When activating a user, you can also force the user to have SFTP access only. Yes, copssh can also allow users to “SSH” to the cygwin bash console. To active a user with SFTP access only, see the following example:
NetCraftsmen recommends that once you stand up a server with copSSH running, that you should test out your security measures to make sure that users can’t access anything that you wish to restrict access to.
Which Cisco UC Products Use SFTP Anyway?
The following products use SFTP as a standard method for “sharing” files:
- Cisco Unified Communications Manager (CUCM)
- Cisco Unified Presence Server (CUPS)
- Cisco Unified Mobile Advantage (CUMA)
- Cisco Unity Connection
FYI, you can actually load copssh on Windows based Cisco UC applications if you wish. However, it isn’t necessarily supported by Cisco. Also, I know that Cisco CSA on a UCCX/IPCCX system will actually block the copSSH service from doing its thing.
It should also be noted that MeetingPlace Express (MPE) is the odd ball. It does support SCP and SFTP file sharing. However, its upgrade methodology uses rsync over SSH and not SFTP. Fortunately, there is an installer provided by ITeF!x for rsync (called cwrsync).