Obtaining and configuring Secure FTP clients

  • 10085857
  • NOVL91605
  • 04-Aug-2003
  • 11-Jan-2006

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.


Obtaining and configuring Secure FTP clients


Novell NetWare 6.5

Novell NetWare FTP Server (NWFTPD.NLM)


NetWare 6.5 introduced the capability of doing secure (SSL-encrypted) FTP sessions compliant with RFC 2228.  Obtaining and configuring an FTP client which is also compliant with RFC 2228 is necessary in order to make use of this feature.  The document discusses the security methods and some possible 3rd-party FTP clients and configuration suggestions.  Novell attempts to insure the accuracy of this information, but as some of it applies to 3rd-party software, there may be errors or omissions.

Note that this topic - securing traditional FTP through SSL, compliant with RFC 2228 - is not connected with the subject of OpenSSH it's SFTP.  OpenSSH and it's SFTP are completely different protocols from traditional FTP and SSL (although, in some cases both types can be done from within one client program).


FTP Security Extensions – Overview


This document gives an overview about security extensions and describes the behavior of the FTP server with a few secure FTP Clients.  There are many more secure FTP clients available than those listed here.  This document is not meant to imply that these are the preferred clients.  These are simply some which Novell has tested.  Also note that this document is only meant to discuss the traditional FTP protocol (as per RFC 959) extended to run under SSL (as per RFC 2228).  This information does not apply to SSH or it's SFTP service.


Netware 6.5 FTP Server enables secure ftp clients (that support SSL, TLS mechanisms) to establish secure connections with the server.  As soon as a connection is established, the client and the server negotiate the security parameters.  On successful negotiation, they begin to communicate securely. Currently the Netware 6.5 FTP server supports the following mechanisms and commands related to security extensions.

  1. SSL, TLS, TLS-C , and TLS-P encryption mechanisms.
  2. Command channel and Data channel encryption are supported.
  3. Support commands:
    a. AUTH <Mechanism Name>
    b. PBSZ <Protection Buffer Size>
    c. PROT <Protection Level>


Some Secure FTP Clients:

1. SmartFTP v1.0.  : This is a GUI-based FTP client with the ability to do secure connections.

Location : http://www.smartftp.com/

First the client has to be configured to set up a secure session. Follow these steps:

a. Go to Tool->Settings->Connections->SSL.

In the "Auth Mode" field select "SSL" (or whatever mechanism is preferred).

In the "Data Connection Mode" select "Private Data Connection," unless you prefer data connections remain un-encrypted, in which case select "Clear Data Connection."

b. Creating a client Certificate is optional. Netware FTP server does not need a client certificate.

c.  Click OK to close the Settings window.

d.  On the Address Bar, drop down the "Address" item (not the address itself, but the page icon next to the word "Address").  Select FTP Over SSL (Explicit).

2.  CoreFTP 1.3 (Lite and Pro).  This is a GUI-based FTP client with the ability to do secure connections, and offers support for both OpenSSL and Windows SSL.

Location:  http://www.coreftp.com

In Site Manager, when defining a site:

a.  Under SSL Options, mark Auth SSL or Auth TLS (not SSL Direct).   This will enable SSL-encrytped FTP control connections.  (Encrypted commands, i.e. so usernames, passwords, etc. are protected).

b.  Select either OpenSSL or Windows SSL (both should work, but Novell officially supports OpenSSL).

c.  Optionally select SSL Listings (for encrypted directory lists) and SSL transfers (for encrypted file transfers).

d.  Core FTP also offers an option for SSH/SFTP.  This is for SSH and it's Secure File Transfer Protocol (a different protocol).  If selected that will try to connect via Secure Shell to SSHD (SSHD.NLM) rather than through FTP using SSL, to NWFTPD.NLM.  SSHD is outside the scope of this document, but Core FTP works well with NetWare 6.5's SSHD.NLM as well.

3.  WS_FTP Pro.   This GUI FTP client offers SSL security as well, and works with Novell FTP on NetWare 6.5 SP3 and NetWare OES.  Details will be added here later.

Location:&n.bsp; http://www.wsftp.com/

4.  Cute FTP Pro.  This GUI FTP client offers SSL security as well, and works with Novell FTP on NetWare 6.5 SP3 and NetWare OES.  Details will be added here later.

Location:  http://www.cuteftp.com/

5. Secure FTP 2 .  This is a text (command line) based Secure FTP client.

Location: http://www.glub.com/products/secureftp/download.shtml

Note: you should install java for this client. It is available at http://java.sun.com/j2se/1.3/download.html

Here is an example of a FTP connection dialog when using this client:

ftp> open <server_name>

Generating the random seed... done.

Attempting to make an implicit SSL connection to <server_name> on port 990.

Connection failed.

Attempting to make an explicit SSL connection to <server_name> on port 21.

220 Service Ready for new User


https://primus.i-login.net/iView/ui/234 Enabling SSL


200 Protection Buffer Size set. PBSZ=0


200 Protection Level is set

Name (<server_name>):  <user_name>

After logging in, use the command ‘dataencrypt’ to toggle between clear and encrypted data channel encryption.


6. ftps.  This is a command line FTP client from Free BSD which can be installed in Windows and Unix machines.

Location: http://bsdftpd-ssl.sc.ru/

Note: you should install the binaries for OpenSSL. Available in the same location.

Example of connection dialog:

220 Service Ready for new User

Name (<server_name>:none): .user.novell


234 Enabling SSL

[TLSv1/SSLv3, cipher DES-CBC3-SHA, 168 bits]

---> USER .admin.novell

331 Password Needed for Login



230 User admin Logged in Successfully

---> SYST

215 NETWARE Type : L8

Remote system type is NETWARE.

ftps> prot

---> PBSZ 0

200 Protection Buffer Size set. PBSZ=0

---> PROT C

200 Protection Level is set

TLS/SSL protection of data connections off.


This client has implemented "PROT on/off" command to enable or disable encryption on data channel.   The data channel is encrypted by default.   To toggle between secure and insecure data channels type Prot on and Prot Off respectively.

 7.  sslftp.  This is a command line secure FTP Client.  To work with NetWare, it must be version 2.2s, January 9, 2006, or later.  To check your version, give the command:  sslftp -version

Location: http://www.netwinsite.com/surgeftp/sslftp.htm

If the above link does not hold version 2.2s or later, use the following link:  http://netwinsite.com/ftp/surgeftp/sslftpi2-2s_windows.exe


This client assumes that the data channel will be encrypted, but does not issue the necessary commands to set that method.  Therefore, some extra manual commands are needed before initiating data transfers (including directory listings).

To use this client:

Issue the command:  sslftp <servername>
Submit username and password.
Issue the command:  literal pbsz 0
Issue the command:  literal prot p

Example of the full connection dialog the above sequence generates:

Connected to
read 1964> 220 Service Ready for new User
220 Service Ready for new User
out 1964> AUTH TLS-P
read 1964> 234 Enabling SSL
234 Enabling SSL
starting SSL/TLS
secure protocol SSLv3 used.
Could not open (C:\WINDOWS\netrc.txt) No such file or directory
(secure) User: test1
out 1964> USER test1
read 1964> 331 Password Needed for Login
331 Password Needed for Login
(secure) Password: *******
out 1964> password sent
read 1964> 230 User test1 Logged in Successfully
230 User test1 Logged in Successfully
Type in "save" to save login details to C:\WINDOWS\netrc.txt
sslftp> literal pbsz 0
n=3 arg_str={pbsz 0} p[0]={literal} p[1]={pbsz} p[2]={0} p[3]={(null)}
out 1964> pbsz 0
200 Protection Buffer Size set. PBSZ=0
sslftp> literal prot p
n=3 arg_str={prot p} p[0]={literal} p[1]={prot} p[2]={p} p[3]={(null)}
out 1964> prot p
200 Protection Level is set


Feedback service temporarily unavailable. For content questions or problems, please contact Support.