Secure File Transfers With Fugu
Volume Number: 19 (2003)
Issue Number: 7
Column Tag: Reviews
Secure File Transfers With Fugu
Review and how to for Fugu
by Brian Shin
Your Last bite?
Anybody who speaks Japanese would recognize fugu as the diodon holocanthus, the poisonous blowfish. This delicacy, popular in Japan and the Philippines, contains a poison called tetrodotoxin, 1200 times deadlier than cyanide. Of course this has nothing to do with our Fugu, a wonderful graphical interface to secure file transfer (SFTP) and secure copy (SCP). Fugu's home page is http://rsug.itd.umich.edu/software/fugu/. Fugu is freeware and can be downloaded from http://rsug.itd.umich.edu/software/fugu/download.html.
Prying Eyes
Our non-toxic Fugu allows us to transfer files with the same ease of use of Fetch but retains the security of command line SFTP and SCP. Regular FTP sends the user name and password in clear text. This means anybody who can sniff your Ethernet packets, can get your user name and password. Using Etherpeek(TM) and a shareware hex editor, I was able to sniff out my own FTP user and password in just a few minutes;
User;
\.USER jlpi
card. 5C 01 55
53 45 52 20 6A 6
C 70 69 63 61 72
64 0D. .....
Password;
].PASS ent
erpris 5D 0E 50
41 53 53 20 65
6E 74 65 72 70 7
2 69 73. e.....
As you can see, the hex editor allows me to read the user name "jlpicard" and the password "enterprise". With FTP this easy to hack, you can see why it is important to use SFTP and SCP. Running the same test using Fugu rendered the encrypted user and password completely inaccessible and protected from prying eyes.
Keep the Door Closed
Another benefit from using Fugu is not having to use port 21 (FTP), one of the most common ports used for hacking. Port 21 is subject to constant attack from hackers on the internet. Fugu uses port 22 instead of port 21. This allows you to turn off your FTP servers and close port 21. A search on Google for FTP hacks will leave you stunned as to what hackers are doing with FTP and port 21.
Making the Connection
Servers you connect to need to have SSHD running. In OS X, getting SSHD running is as easy as going into System Preferences, select the Share pane, select the services tab, and turning on Remote Login. For OS X server, you can configure this in the server admin utility. If you are on a different server, go to http://www.openssh.org/ for the installer.
Making the connection with Fugu is as easy as it gets:
Figure 1. Connecting to a server with Fugu is as simple as entering the IP address and user name.
Figure 2. Type in the password and press Authenticate.
Figure 3. After you authenticate, Fugu will take you to the users home directory.
Once connected to the server, Fugu behaves like just about any other FTP client. The only exception is folder copying. According to the documentation, SFTP does not support folder copying. Fugu circumvents this by turning the folder copy attempt from SFTP into a SCP. Fugu will also ask you to re-authenticate the copy. This works fine but it will not retain the directory information of the copy. For example, you need to copy the directory ../stuff to your computer at ../Desktop/stuff. The contents of../stuff on the remote computer will all be dumped to ../Desktop.
Connect with SFTP
Under the SFTP menu you can get info on files and folders on your system and the remote computer. If you open the console window, you can see command line equivalents to your graphical work and enter direct commands. Notice of all the keyboard commands in the SFTP menu. They make navigation between remote and local directories and panes quick and painless.
Connect with SCP
SCP transfers work differently than SFTP. Rather than moving files back and forth between computers, SCP transfers 1 file or a directory at a time.
Connections are similar to SFTP but you need the name of the file you want to send or get before-hand.
Figure 4. Enter file, upload/download, user id and path.
After you enter this information, a new window will appear to enter the password. If the upload/download transfers correctly Fugu will give you the following message;
Figure 5. Copy to server successful with option for more transfers.
No safe harbor for your ship?
Now, what happens if you need to connect to a FTP server that does not use SFTP or SCP? You can create a SSH tunnel to protect yourself. From the SSH menu, select new SSH tunnel or press command-T.
Figure 6. New SSH Tunnel window.
Enter the remote host and tunnel host IP numbers. The remote port is usually port 21 and the local port can be any port greater than 1024. Enter your user name for SSH; the port is optional. You will be prompted for your password after you hit the start tunnel button.
Now that your tunnel is up, your FTP connection will be redirected securely through your tunnel host to the FTP server.
Must have program
Fugu is the kind of application that makes OS X so wonderful. It provides a graphical front end to powerful Unix command line tools. The console window gives the user the best of both worlds by allowing users to see what the graphical front is doing and giving the users an opportunity to type in your own commands.
Keyboard lovers will be pleased that every feature you can access with your mouse has a keyboard equivalent. The keyboard shortcuts are listed with every pull down menu. A comprehensive list of them is available from the help menu.
Installation of Fugu simple, and problem free. The user manual explains features in detail, and provides screen shots of how to use each feature. The manual also has extensive version history and a decent FAQ section.
The source code to Fugu is publicly available and there are German, Dutch, and Japanese localizations. French, Spanish, and Russian are on the way. With publicly available source code, localizations, Fort Knox security, great ease of use, a well-written manual, and top it off with a total cost of free makes Fugu THE essential tool for sharing files over the internet that no user should go without.
Brian Shin once worked for us at MacTech, but moved on to run his own company, providing accounting software solutions to Mac run businesses. Between SCUBA dives, he also provides consulting and other programming services. You can reach him at brian@prometheia.com.
