Previous Topic

Next Topic

Book Contents

Book Index

SSH - Overview

The MOVEit DMZ SSH server provides both FTP over SSH and SCP2 services. SSH access is provided to the same underlying folder and file structure made available through MOVEit DMZ's SSH and Web Interface as well. SSH telnet access is NOT provided by this server.

Notable Features

MOVEit DMZ SSH runs as a standalone application (not part of IIS). Some of its notable features are listed below.

Typical SSH Environment

SSH is a secure transport protocol conceptually similar to SSL. Both protocols use public/private key cryptography to negotiate a shared key and symmetric encryption algorithm. This shared key is then used to encrypt succeeding data transfer. The main difference between the protocols is that SSL supports the concepts of "CA" and delegated trust, whereas SSH requires each endpoint to individually trust every other endpoint.

FTP over SSH is primarily associated with UNIX, whereas FTP over SSL is typically associated with Windows and mainframes.

SSL's ease of large-scale deployment is the reason why HTTP over SSL - HTTPS - is more popular than a (theoretical) "HTTP over SSH" protocol. SSH's ease of self-key-generation and configuration is the reason why telnet over SSH (typically also called just SSH) is more popular with router technicians and Unix server administrators than telnet over SSL. MOVEit DMZ takes advantage of both models by supporting both SSL and SSH.

For more information, see SSH "Protocol Discussion.

Installation

MOVEit DMZ SSH is installed automatically with MOVEit DMZ.

The setup program for MOVEit DMZ provides the option of installing MOVEit DMZ SSH as a service. Normally, you will install the program as a service. However, you can instead run the program manually by choosing the Start menu shortcut RunMOVEit DMZ SSH manually after installation. In manual mode, MOVEit DMZ SSH displays a window containing two subwindows, one containing the status of the current connections and the other showing a scrolling list of messages.

Note: In order to generate the server public key, MOVEit DMZ SSH server requires write access to the directory into which it is installed, typically Program Files\MOVEit. This is automatically granted when the program is running as a service under the local system account, which is the default. However, when you run the program manually under a non-administrative account, the program may not have write access to the directory.

MOVEit DMZ SSH's window is normally not displayed when it is running as a service. However, you can cause it to be displayed by changing the service to allow it to interact with the desktop. To do this on Windows 2003, choose Start / Settings / Control Panel / Administrative Tools / Services, and choose the MOVEit DMZ SSH service. Right-click and choose Properties. Choose the Log On tab. Choose Allow service to interact with desktop. You will have to stop and restart the service for this change to take effect.

Directory Structure

MOVEit DMZ SSH's directory structure is the same as that which is visible through the web interface, except for those users who have the "Chroot" option enabled for their default folder. Those users will only be able to see the files and folders in and below their default folder and will not be able to navigate to folders outside their default folder. See the User Settings - Default Folder section of the Web Interface - Users - Profile documentation page for more details.

The initial directory upon logon depends on the user type. End users and group admins will be placed in their default folder (usually their home folder), while administrators will be placed in the root folder.

User type

Initial directory

SysAdmin

/

Administrator

/

FileAdmin

/

GroupAdmin

The GroupAdmin's home directory or a designated default folder

User

The User's home directory or a designated default folder

TempUser

N/A (not allowed to sign on to SSH)

A "dir" command shows only the folders to which the user is permitted access, so not all users will get the same results from a "dir".

Disabling the SSH Service

To disable the MOVEit DMZ SSH service you may use the Microsoft Services control panel to mark the MOVEit DMZ SSH service as disabled. The MOVEit DMZ "Check" utility (usually run after installations and upgrades) will automatically be aware if you have disabled the SSH service and will not try to check it in that situation.