Secure FTP with RSA Authentication Using OpenSSH v3.4-1 on Windows 2000

Dylan Beattie, July 2002


This document outlines how to use the OpenSSH tools to create a secure file transfer mechanism which can be automated via shell scripts or batch files. One application of this - the thing we're using it for - is to allow our clients to automate the data transfer process from their sales mainframe to our web servers, without any danger of the information contained therein being compromised in transit. In a nutshell; at eight every night, their mainframe spits out a fresh batch of sales figures; at nine every night, this is automatically uploaded to our server via SFTP using RSA authentication, and at midnight, our server picks up the fresh data from the upload directory and imports it into the database. This document describes how we set up the middle stage of this process - installing OpenSSH and configuring it to allow secure, unattended file transfer operations.

  1. The OpenSSH server is installed on the web server.
  2. The OpenSSH client tools are installed on the remote machine(s).
  3. An RSA key pair is generated at each client machine
  4. The public key from each of these key pairs is sent to the server and added to the list of authorised keys.

These examples are based on a fictional Windows 2000 Server called fortress, with the fully-qualified internet hostname This machine is not part of a Windows NT domain, but is configured as a stand-alone server, and we've created a local Windows user account called johndoe.

Command transcripts are shown in monospaced type, with the bits you type shown in bold

These examples are tested and verified for OpenSSH v3.4-1 running on Windows 2000 Server, and have been tested using both the Windows and Linux versions of the OpenSSH client utilities. Other version/platform combinations may or may not work as described here.


I'm by no means a security expert, and I'm not an OpenSSH guru. If you find these notes helpful, great - if you don't, there's plenty of more detailed resources out there which will answer your questions if you take the time to read them properly. Contributions and testimonials are welcome; questions will be read and possibly answered but I'm making no guarantees, and please don't rely on this information for anything important. I don't know whether it's the most secure or most effective way of doing this, but it works and that's good enough for me. If it's not good enough for you, don't use it :)


Install OpenSSH on the WWW server

  1. Get OpenSSH from Run the installer, accepting all default options.These instructions assume OpenSSH has been installed to C:\Program Files\NetworkSimplicity\
  2. Check Windows file/folder permissions, and make sure the local user johndoe has Full Control of the C:\Program Files\NetworkSimplicity\ssh\ directory and all it's sub-directories, otherwise you'll get odd 'Access Denied' messages when you try to upload the public key files later.
  3. Configure the passwd and group files within the OpenSSH configuration as follows. Here, we create an entry for the local user 'fortress', and a standard local group file. If you're setting up domain users or inter-domain trust relationships, consult the documentation.
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.
    C:\Program Files\NetworkSimplicity\ssh>mkpasswd -l -u johndoe >> ..\etc\passwd
    C:\Program Files\NetworkSimplicity\ssh>mkgroup -l >> ..\etc\group
  4. Type net start opensshd at the command line to start the server

Install OpenSSH on the client workstation

  1. Get OpenSSH from Run the installer, selecting only the client tools. These instructions assume OpenSSH has been installed to c:\Program Files\networksimplicity\
  2. From the command line, verify that you can connect to the server using ssh [ssh syntax is ssh username@host] - here, I connect and then run the hostname command just to make sure I'm connected to the right place :) You may be warned that the server's identity cannot be verified -
    C:\Program Files\NetworkSimplicity\ssh>ssh's password:
    Last login: Thu Jul 11 17:26:43 2002 from
    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.
    (fortress) C:\Program Files\NetworkSimplicity\ssh>hostname
    (fortress) C:\Program Files\NetworkSimplicity\ssh>exit
    Connection to closed.
    C:\Program Files\NetworkSimplicity\ssh>
    This confirms that the server is accessible and correctly configured, and that the client tools are installed correctly on the client workstation.

Configure the server to allow RSA key-pair authentication

  1. Find the sshd_config file on the server (ours is in C:\Program Files\NetworkSimplicity\ssh), and check the following lines exist:

    Protocol 2,1
    (default is Protocol 2)

    RSAAuthentication Yes
    (default is RSAAuthentication no)

Create a key pair on the client and export the public key to the server

Here we use ssh-keygen.exe to create a 1024-bit RSA key pair. The private key stays on the client machine and must be kept safe - if this key is compromised, the security of the system is compromised. The public key is exported to the server, where it must be appended to the file C:\Program Files\NetworkSimplicity\ssh\.ssh\authorized_keys (Note that on a newly-installed server, this file may be blank or non-existent.)

The following session transcript demonstrates the entire process, via SSH tools from the client machine.

First, we run ssh-keygen specifying an RSA key type. NOTE: Supply an EMPTY passphrase, otherwise you'll be asked to type the passphrase whenever you use the key - which is not really what we want.

C:\Program Files\NetworkSimplicity\ssh>ssh-keygen.exe -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/bin/.ssh/id_rsa): johndoe.key
johndoe.key already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in johndoe.key.
Your public key has been saved in
The key fingerprint is:
ec:30:03:39:06:96:9f:a7:15:ed:4a:2e:de:64:bc:14 Dylan Beattie@DYLAN_PC

This has created two files - a file called johndoe.key containing your private key, and a file called containing the public key.

The private key needs to be moved into the c:\Program Files\networksimplicity\ssh\.ssh:

C:\Program Files\NetworkSimplicity\ssh>move johndoe.key .ssh

The public key must first be copied to the corresponding .ssh directory on the server (done here using SFTP):

C:\Program Files\NetworkSimplicity\ssh>sftp
Connecting to's password:
sftp> cd .ssh
sftp> put
Uploading to /bin/.ssh/
sftp> exit

...and then we connect via SSH and append the contents of the file to the authorized_keys file in the .ssh directory.

C:\Program Files\NetworkSimplicity\ssh>ssh's password:
Last login: Thu Jul 11 17:27:55 2002 from
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

(fortress) C:\Program Files\NetworkSimplicity\ssh>cd .ssh

(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>dir
 Volume in drive C is SYSTEM
 Volume Serial Number is 403A-24CD

 Directory of C:\Program Files\NetworkSimplicity\ssh\.ssh

07/11/2002  05:40p      >DIR<          .
07/11/2002  05:40p      >DIR<          ..
07/11/2002  04:56p                 232 authorized_keys
07/11/2002  05:40p                  23 environment
07/11/2002  05:40p                 232
07/11/2002  04:56p                 232
03/27/2002  03:25p                  58 rc
               5 File(s)            777 bytes
               2 Dir(s)   1,376,125,952 bytes free

(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>type >> authorized_keys

(fortress) C:\Program Files\NetworkSimplicity\ssh\.ssh>exit
Connection to closed.

C:\Program Files\NetworkSimplicity\ssh>

That's it. We're now ready to test our RSA authentication.

Test the RSA Authentication

We can now connect by specifying the filename of our private key on the command line, rather than supplying a password as part of the connection process. This means that anyone who has your private key can assume your identity and compromise your server. So be careful with it.

To establish an SSH connection using RSA authentication, specify the location of the private key file with the -i option.

C:\Program Files\NetworkSimplicity\ssh>ssh -i .ssh\johndoe.key
Last login: Thu Jul 11 17:40:15 2002 from
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
(fortress) C:\Program Files\NetworkSimplicity\ssh>exit
Connection to closed.
C:\Program Files\NetworkSimplicity\ssh>

To establish a Secure FTP connection (SFTP) using RSA authentication, use the -oIdentityFile option:

C:\Program Files\NetworkSimplicity\ssh>sftp -oIdentityFile=.ssh\johndoe.key
   Connecting to

And there you have it - a secure FTP connection created without specifying a password.

Creating a batch SFTP script

Using the -b switch, sftp can run a sequence of commands from a batch file rather than as an interactive session. Here, we're going to write a batch script that will connect, upload a set of files from C:\EXPORT\ on the local machine (our workstation) to W:\ftproot\upload\ on our server. This also demonstrates something called CygDrive notation - Cygnus' (and OpenSSH's) way of accessing Windows drive letters in a Unix-style environment.

First, create the file c:\export\nightly_upload.ftp (or whatever you want to call it) - which should look something like:

put /cygdrive/c/export/prices.csv /cygdrive/w/ftproot/upload/prices.csv
put /cygdrive/c/export/offers.csv /cygdrive/w/ftproot/upload/offers.csv
put /cygdrive/c/export/accounts.csv /cygdrive/w/ftproot/upload/accounts.csv

Note how we're using /cygdrive/c/ to denote drive C:\ on the local machine, and /cygdrive/w/ to denote drive W:\ on the remote machine.

Then create the Windows batch file that will call SFTP with the appropriate arguments - note the PROGRA~1 shorthand for Program Files to get around potential problems with pathnames containing spaces. The contents of upload.bat look like this - and should be all on one line:

c:\progra~1\networksimplicity\ssh\sftp.exe -oIdentityFile=c:\progra~1\networksimplicity\ssh\.ssh\johndoe.key -b c:\export\nightly_upload.ftp

Note that we're using fully-qualified path names throughout - advanced users, feel free to use the 'Start in Folder...' feature of the Task Scheduler or other means to make this look a bit more elegant, but this syntax is most reliable.

Finally, use the Windows Task Scheduler to run upload.bat at 21:00 every night (or whenever), and you're in business.

Links & Acknowledgements

OpenSSH for Windows:

Documentation copyright © Dylan Beattie 2002 except where indicated.

Permission is granted to copy, distribute and/or modify this documentation under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts.