Windows – UNC vs. SFTP vs. SSH for uploading to a Windows server

sftpsshuncwindows

I understand that UNC (Uniform Naming Convention), SFTP, and SSH are different interfaces (protocols?) that can be used to upload files to a server. But feature-wise, how do they differ? Are there things you can do with one that you cannot do with another? Is one more secure than another?

The situation I want to fix is one where we have several Windows servers and VPC's, some of which have SFTP servers and some of which don't. For those that don't we use UNC over a VPN shared by the entire enterprise. What I want to do is either use all UNC, all SFTP, or all SSH (unless a real need to vary on a case-by-case basis presents itself).

Links would be excellent. My biggest problem here is that my googling brings up irrelevant results. 🙁

EDIT: Our needs are simply to upload files to Windows servers, including VPC's, both manually and automatically (e.g. via command-line tools). When we upload, we really need files to not be seen by anyone else.

EDIT: All users have Active Directory domain accounts, so it would be nice (though not strictly necessary) to use these. Any authentication that is reasonably secure (Windows or otherwise) will work.

Best Answer

Your question is a bit vague. I assume that you mean the Uniform Naming Convention (Wikipedia) by UNC. UNC is not a way of sharing files, but just the addressing mechanism for Windows file shares. The underlying protocal that actually transports the data is SMB/CIFS. If you search for information about the Windows file sharing mechanism, it would be better searching for "SMB" or "CIFS".

The other problem that I have with your question is how SSH fits in, because it does not implement file sharing by itself, but you would use it for tunneling other protocols, like e. g. SMB. You could replace you VPN with an SSH tunnel, but if you have only Windows machines, I would not recommend this.

My personal opinion when comparing SMB and SFTP is that SMB is much more convenient for Windows users, because it is integrated into the OS and you can map SMB shares are network drives. Also, Windows will establish the connection when you access the resource whereas you have to use an FTP client for SFTP. However, I do not know enough of your application scenario to give you any specific recommendations.

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

Best Answer

Related Solutions

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

For TortoiseGit

Linux – Creating multiple SFTP users for one account

Related Topic