How Do I Use Winscp With A Bastion Host?
Overview of Winscp / Bastion Host
The free and open source SFTP, SCP, and FTP client for Windows. Since the release of the SSH from Tectia from OpenSSH in 2000, there has been a variety of *nix SFTP clients available to download as well as a couple of Windows based ones. In addition, there are now both free and commercial SFTP servers to choose from as well. However at this time, I have not found any free or commercial options that support public/private key authentication with an SSH server. The only option appears to be a combination of ssh + scp command line utilities which is similar to their rcp counterparts.
A security term used to describe a system that relays connections to and from the Internet for your internal network. A bastion host on your home/work/private LAN allows you to connect via SFTP, SSH, SCP, etc… while preventing access from any other potential hackers scanning your public IP address.
Use Winscp With Bastion Host
1. Create an SSH key for your Windows user and copy the public key to your bastion host or other users on your local network where you want to transfer files from and too.
2. If using a commercial server, make sure that their SFTP server supports public/private keys if not use a free one such as OpenSSHd.
3. On the bastion host create a Linux account with password-less login enabled for your windows user who has the private key installed. In this example we will used the name ‘bastion’ but you can use any name of course:
4. Now on your Windows PC use WinSCP to setup a new connection:
5. Set the Protocol options and enter your private key passphrase:
6. Next we will connect to our bastion host while keeping in mind what account we used while creating it (in this case bastion) which you can see by typing ‘whoami’:
7. Once connected, navigate to ~/ or /home/bastion/ and add the public key that was generated earlier by your windows user under “Public” directory:
8. After adding the public key on the bastion host, back on your local PC use WinSCP to upload files from another location such as another user’s home directory:
9. Now you can use WinSCP to connect to the bastion host via an existing saved session:
10. Next, navigate to ~/ or /home/bastion/, and remove the test file that was uploaded earlier on step 8:
11. And that’s it! You now know how easily you may securely transfer files using OpenSSH’s public key authentication scheme which is much more secure than traditional password based logins. Keep in mind this scheme still requires proper key management best practices (hardened machines, changing keys often etc.) like any technology but at least you won’t be sending your password over plain-text anymore…
Benefits of using winscp with bastion host
Using the ssh-keygen command you can generate the public and private keys. You just have to upload your public key to the remote server at /home/bastion/ directory . Once done, now you are allowed to login without password. So, the only way someone will be able to access this server is through a private key which is not transmitted over the internet.
Since all the data is transferred using an encrypted channel, it’s much faster than other methods like sftp or webdav. Also if your network connection speed is low then by using -scp option you can increase the speed of transfer with compression enabled.This makes files transfer through ssh 10 times faster than regular FTP.
Ssh based file transfer is secure and fast. It has other benefits like multiplexing(connecting to different servers with the same port), bandwidth compression, interactive session etc.
Only one tool
You will only need an ssh client which is the all in one tool for your server administration task. So it’s beneficial because you can learn just one tool, do administration work and increase your efficiency .
For Windows users : WinSCP is the best alternative for Filezilla or other FTP clients. You can also use this link – ssh alternative for windows/filezilla-alternatives-for-windows to get more information about file zilla alternatives. For linux users : there are many tools available but if you want to set up just once then just install openssh-server package which will install ssh server, ssh client and scp utility.
OpenSSH is light weight when it comes to resource usage, so you will not find any issues even if you are running it on old hardware or virtual machines.
It can be used in almost every Linux distro, unix and macOS without any extra software installation requirement. All you just need ssh client installed in your system which can be downloaded using yum command(on red hat based systems) :
yum install openssh-clients -y . It will also install sshd service so that this service should start by default after reboot. For Debian and ubuntu linux: sudo apt-get install openssh-server openssh-client . Then edit file /etc/ssh/sshd_config and make sure this line is enabled : PubkeyAuthentication yes.
If you want to enable ssh for another user then edit file ~/.ssh/authorized_keys using your favorite editor(vim, nano etc.) and enter the public key from the local machine which you want to give access to on the bastion host. Save the changes and now try to login from another system using username + private keypair, it should work without a password.
The main advantage of winscp over sftp protocol is that winscp supports bandwidth compression if both client and server support it , so it will be much faster than regular ftp or unix scp commands .
Using WINSCP and Bastion host together has lots of benefits. Let’s start using it now to protect your security and increase productivity.They are an excellent tool for secure file transfers, allowing you to transfer files without worrying about your password/private key being compromised.
They can also be a replacement for your FTP server. Using the SCP protocol to transfer files is generally much faster than SFTP, and you can also use compression if both client and server support it . Using SSH as a transport allows for secure authentication using only one program (WinSCP). Using winscp with a bastion host will create an extra layer of protection because as long as the private key doesn’t fall into wrong hands then nobody can access your system.