Foreword

Vhiki rapfuura ndanga ndichinyora rondedzero pamusoro pemusoro wakaratidzwa mumusoro uye ndakatarisana nenyaya yekuti, ngatitii, hapana ruzivo rwakawanda rwekudzidzisa paInternet. Kunyanya yakaoma chokwadi uye setup mirairo. Naizvozvo, ndakasarudza kururamisa zvishoma zvinyorwa uye kuzviisa sechinyorwa.

Chii chinonzi FTP

FTP (File Transfer Protocol) iprotocol yekufambisa mafaera panetiweki. Ndiyo imwe yeakakosha Ethernet protocol. Akaonekwa muna 1971 uye akatanga akashanda muDARPA network. Parizvino, seHTTP, kufambisa faira kunobva pamuenzaniso une seti yeTCP/IP (Transmission Control Protocol/Internet Protocol) protocol. Inotsanangurwa muRFC 959.

Iyo protocol inotsanangura zvinotevera:

• Kuongorora kukanganisa kuchaitwa sei?
• Nzira yekurongedza data (kana kurongedza kuchishandiswa)
• Ko mudziyo wekutumira unoratidza sei kuti wapedza meseji?
• Ko mudziyo unogamuchira unoratidza sei kuti wagamuchira meseji?

Kukurukurirana pakati pemutengi uye server

Ngatitarisei zvakanyanya maitiro anoitika panguva yeFTP kushanda. Kubatana kunotangwa nemuturikiri weprotocol yemushandisi. Kutsinhana kunodzorwa kuburikidza nechiteshi chekutonga mune TELNET chiyero. Mirairo yeFTP inogadzirwa nemushanduri weprotocol yemushandisi uye inotumirwa kuseva. Mhinduro dzesevha dzinotumirwawo kumushandisi kuburikidza nechiteshi chekutonga. Kazhinji, mushandisi anokwanisa kuonana nemuturikiri weserver weprotocol uye nedzimwe nzira dzisiri muturikiri wemushandisi.

Chinhu chikuru cheFTP ndechekuti inoshandisa mbiri mbiri. Imwe yacho inoshandiswa kutumira mirairo kune sevha uye inoitika nekukasira kuburikidza neTCP port 21, iyo inogona kuchinjwa. Kubatana kwekutonga kuripo chero bedzi mutengi achitaurirana neserver. Iyo yekudzora chiteshi inofanirwa kuvhurika kana uchiendesa data pakati pemichina. Kana yakavharwa, kuendesa data kunomira. Kuburikidza nechipiri, kuendesa data kwakananga kunoitika. Inovhura pese pese painofambiswa faira pakati pemutengi neserver. Kana akati wandei mafaera akatamiswa panguva imwe chete, imwe neimwe yadzo inovhura yayo yekutapurirana chiteshi.

FTP inogona kushanda mune inoshanda kana passive mode, iyo sarudzo inosarudza kuti kubatana kunotangwa sei. Mumamiriro ekushanda, mutengi anogadzira TCP control connection nevhavha uye anotumira IP kero uye inopokana nhamba yevatengi yechiteshi kune server, uye inomirira kuti sevha itange TCP kubatana nekero iyi uye nhamba yechiteshi. Kana mutengi ari kuseri kwe firewall uye asingakwanise kugamuchira inouya TCP yekubatanidza, passive mode inogona kushandiswa. Mune iyi modhi, mutengi anoshandisa kuyerera kwekutonga kutumira PASV kuraira kune sevha, uye obva agamuchira kubva kuseva yayo IP kero uye nhamba yechiteshi, iyo mutengi anobva ashandisa kuvhura kuyerera kwedata kubva pachiteshi chayo chekupokana.

Zvinogoneka kuti data inogona kuendeswa kumuchina wechitatu. Muchiitiko ichi, mushandisi anoronga chiteshi chekutonga nemaseva maviri uye anoronga yakananga data chiteshi pakati pavo. Kudzora mirairo inopfuura nemushandisi, uye data inoenda zvakananga pakati pemaseva.

Kana uchiendesa data pamusoro petiweki, mana anomiririra data anogona kushandiswa:

• ASCII - inoshandiswa kune zvinyorwa. Iyo data, kana zvichidikanwa, inoshandurwa kubva kune inomiririra hunhu pane anotumira muenzi kune "masere-bit ASCII" isati yatapurirana, uye (zvakare, kana zvichidikanwa) kune anomiririra hunhu pane anogamuchira. Kunyanya, mavara matsva anoshandurwa. Nekuda kweizvozvo, iyi modhi haina kukodzera mafaera ane zvinopfuura zvinyorwa zviri pachena.
• Binary modhi - mudziyo wekutumira unotumira yega faira byte byte, uye anogamuchira anochengeta rwizi rwemabhaiti kana atambira. Tsigiro yeiyi modhi yakakurudzirwa kune ese FTP kuita.
• EBCDIC - inoshandiswa kuendesa mavara akajeka pakati pevaenzi muEBCDIC encoding. Zvikasadaro, iyi modhi yakafanana neiyo ASCII modhi.
• Local modhi - inobvumira makomputa maviri ane akafanana marongero kuti atumire data mune yavo fomati pasina kuchinjika ku ASCII.

Kuendesa data kunogona kuitwa mune chero yemhando nhatu:

• Kuyerera modhi - data inotumirwa serukova runoenderera, ichisunungura FTP kubva pakuita chero kugadzirisa. Pane kudaro, zvese zvinogadziriswa zvinoitwa neTCP. Iyo yekupedzisira-ye-faira chiratidzo haidiwe kunze kwekuparadzanisa data muzvinyorwa.
• Block mode - FTP inotyora iyo data kuita akati wandei (header block, nhamba yemabyte, data data) uye yozoaendesa kuTCP.
• Compression mode - data inomanikidzwa uchishandisa imwechete algorithm (kazhinji ne encoding run refu).

FTP server iseva inopa kugona kushandisa iyo File Transfer Protocol. Iyo ine zvimwe zvinhu zvinoisiyanisa kubva kune akajairwa pawebhu maseva:

• Kutendesa kwemushandisi kunodiwa
• Mabasa ese anoitwa mukati mechikamu chazvino
• Kugona kuita zviito zvakasiyana nefaira system
• Imwe nzira yakaparadzana inoshandiswa kune imwe neimwe yekubatanidza

FTP mutengi chirongwa chinokutendera kuti ubatanidze kune iri kure server kuburikidza neFTP uye zvakare ita zviito zvinodiwa pairi nezvinhu zvefaira system. Mutengi anogona kunge ari bhurawuza, mune kero bar yaunofanirwa kuisa kero, inova nzira inoenda kune yakatarwa dhairekitori kana faira pane iri kure server, zvinoenderana neyakajairwa URL block diagraph:

ftp://user:pass@address:port/directory/file

Nekudaro, kushandisa web browser mune ino mamiriro kunongobvumidza iwe kuti utarise kana kudhawunirodha mafaera aunofarira. Kuti ushandise zvizere zvakanakira zvese zveFTP, unofanirwa kushandisa yakasarudzika software semutengi.

FTP kutendeseka kunoshandisa zita rekushandisa/password hurongwa kupa mukana. Zita rekushandisa rinotumirwa kuseva nemirairo yeUSER, uye password inotumirwa nePASS command. Kana ruzivo rwakapiwa nemutengi ruchigamuchirwa nevhavha, ipapo sevha inotumira kukoka kune mutengi uye chikamu chinotanga. Vashandisi vanogona, kana sevha ichitsigira chimiro ichi, kupinda pasina kupa zvitupa, asi sevha inogona kungopa mukana wakaderera wezvikamu zvakadaro.

Iyo saiti inopa iyo FTP sevhisi inogona kupa isingazivikanwe FTP yekuwana. Vashandisi vanowanzo pinda ne "asingazivikanwe" (inogona kunge iri nyaya inonzwisisika pane mamwe maseva eFTP) sezita ravo rekushandisa. Kunyangwe vashandisi vachiwanzo kukumbirwa kuti vape email kero yavo pachinzvimbo chepassword, hapana kusimbiswa kunoitwa. Mazhinji maFTP anotambira anopa zvigadziriso zvesoftware anotsigira kusazivikanwa kwekuwana.

Protocol diagram

Iko kupindirana kwevatengi-server panguva yekubatana kweFTP kunogona kuoneswa sezvizvi:

Chengetedza FTP

FTP yanga isati yagadzirirwa kuve yakachengeteka, sezvo yaiitirwa kutaurirana pakati pekuisa mauto akawanda uye masangano. Asi nekuvandudzwa uye kupararira kweInternet, njodzi yekuwanikwa isina mvumo yakawedzera kakawanda. Paive nekudikanwa kwekuchengetedza maseva kubva kumhando dzakasiyana dzekurwiswa. Muna Chivabvu 1999, vanyori veRFC 2577 vakapfupisa kusagadzikana mune inotevera rondedzero yenyaya:

• Kurwiswa kwakavanzika (bounce attack)
• Spoof attack
• Brute force attack
• Packet kutorwa, kufemba
• Port kuba

Nguva dzose FTP haina kukwanisa kuendesa data mu encrypted fomu, semugumisiro wekuti mazita evashandisi, mapassword, mirairo uye mamwe mashoko anogona nyore uye nyore kubatwa nevanorwisa. Mhinduro yakajairwa kudambudziko iri ndeye kushandisa "yakachengeteka", TLS-yakachengetedzwa shanduro dzeiyo njodzi protocol (FTPS) kana imwe, yakachengeteka zvakanyanya protocol, seSFTP/SCP, yakapihwa yakawanda Secure Shell protocol kuita.

FTPS

FTPS (FTP + SSL) ndeyekuwedzeredzwa kweiyo yakajairwa kufambisa faira protocol iyo inowedzera kune yayo yekutanga mashandiro kusikwa kwezvikamu zvakavharidzirwa uchishandisa SSL (Secure Sockets Layer) protocol. Nhasi, dziviriro inopihwa neyayo yepamusoro analogue TLS (Transport Layer Security).

SSL

Iyo SSL protocol yakakurudzirwa neNetscape Communications muna 1996 kuti ive nechokwadi chekuchengetedza uye kuvanzika kweInternet. Iyo protocol inotsigira mutengi uye server kuvimbiswa, ndeye application yakazvimirira, uye iri pachena kune HTTP, FTP, uye Telnet protocol.

Iyo SSL Handshake protocol ine nhanho mbiri: kuvimbiswa kweseva uye sarudzo yechokwadi yevatengi. Padanho rekutanga, sevha inopindura kuchikumbiro chemutengi nekutumira chitupa chayo uye encryption paramita. Mutengi anobva agadzira kiyi huru, oinyorera nekiyi yeruzhinji yeseva, uye oitumira kuseva. Sevha inobvisa kiyi ye master nekiyi yayo yega uye inozvisimbisa kune mutengi nekudzorera meseji yakasimbiswa nekiyi yemutengi.

Iyo inotevera data yakavharidzirwa uye inosimbiswa nemakiyi anotorwa kubva kune iyi master kiyi. Munhanho yechipiri, inosarudzika, sevha inotumira chikumbiro kune mutengi, uye mutengi anozvisimbisa kune sevha nekudzorera chikumbiro nechayo siginecha yedhijitari uye chitupa cheruzhinji.

SSL inotsigira akasiyana-siyana cryptographic algorithms. Munguva yekugadzwa kwekutaurirana, iyo RSA yeruzhinji kiyi cryptosystem inoshandiswa. Mushure mekuchinjana kiyi, akawanda akasiyana ciphers anoshandiswa: RC2, RC4, IDEA, DES uye TripleDES. MD5 inoshandiswawo - algorithm yekugadzira meseji digest. Syntax yezvitupa zveruzhinji inotsanangurwa muX.509.

Imwe yemabhenefiti akakosha eSSL ndeye yakazara software-platform kusununguka. Iyo protocol inogadzirwa pamisimboti yekutakurika, uye iyo ideology yekuvaka kwayo haibvi pamashandisirwo ayo anoshandiswa. Pamusoro pezvo, zvakakoshawo kuti mamwe maprotocol anogona kuve akafukidzwa pachena pamusoro peSSL protocol; kungave kuwedzera kuwedzera dhigirii rekudzivirira kwechinangwa chinoyerera chinoyerera, kana kugadzirisa iyo cryptographic kugona kweSSL kune rimwe rimwe basa, rakanyatsotsanangurwa basa.

SSL kubatana

Iyo yakachengeteka chiteshi inopihwa neSSL ine matatu makuru zvivakwa:

• Iyo chiteshi ndeyakavanzika. Encryption inoshandiswa kune ese mameseji mushure mekurukurirano yakapusa iyo inoshanda kuona kiyi yakavanzika.
• Iyo chiteshi ndeyechokwadi. Rutivi rweseva rehurukuro rinogara rakatenderwa, nepo divi remutengi richitenderwa.
• Mugero wakavimbika. Kutakura meseji kunosanganisira kutarisa kutendeseka (uchishandisa MAC).

Zvimiro zveFTPS

Pane maviri mashandisirwo eFTPS, uchishandisa nzira dzakasiyana dzekupa chengetedzo:

• Iyo nzira isina kujeka inosanganisira kushandisa yakajairwa SSL protocol kumisa musangano usati watumira data, iyo, zvakare, inotyora kuenderana neyakajairwa FTP vatengi nemaseva. Kuti uwirirane nekumashure nemakasitoma asingatsigire FTPS, TCP port 990 inoshandiswa pakubatanidza control uye 989 inoshandiswa kuendesa data. Iyi nzira inoonekwa seyakasakara.
• Zvakajeka zvakanyanya nyore, sezvo zvichishandisa mirairo yeFTP yakajairwa, asi encrypts iyo data paunenge uchipindura, izvo zvinokutendera iwe kushandisa imwechete yekudzora yekubatanidza kune ese FTP neFTPS. Mutengi anofanira kukumbira zvakajeka kuchinjisa data kubva kune server, uye obva abvumidza iyo encryption nzira. Kana mutengi akasakumbira kutamiswa kwakachengeteka, sevha yeFTPS ine kodzero yekuchengeta kana kuvhara iyo isina kuchengetedzwa. Iyo yechokwadi uye yedata yekuchengetedza nhaurirano nzira yakawedzerwa pasi peRFC 2228 iyo inosanganisira iyo itsva FTP AUTH command. Kunyangwe chiyero ichi chisingatsanangure zvakajeka nzira dzekuchengetedza, chinotsanangura kuti kubatana kwakachengeteka kunofanirwa kutangwa nemutengi uchishandisa algorithm inotsanangurwa pamusoro. Kana yakachengeteka yakabatana isingatsigirwi nesevha, kodhi yekukanganisa ye504 inofanira kudzoserwa. Vatengi veFTPS vanogona kuwana ruzivo nezve chengetedzo protocol inotsigirwa nesevha uchishandisa iyo FEAT command, zvisinei, sevha haidiwe kuburitsa pachena kuti ndeapi mazinga ekuchengetedza. inotsigira. Iwo anonyanya kuzivikanwa FTPS mirairo ndeye AUTH TLS uye AUTH SSL, iyo inopa TLS uye SSL chengetedzo, zvichiteerana.

SFTP

SFTP (Secure File Transfer Protocol) ndeye application layer faira yekufambisa protocol inomhanya pamusoro penzira yakachengeteka. Haifanirwe kuvhiringwa ne (Simple File Transfer Protocol), ine chidimbu chakafanana. Kana FTPS ichingori kuwedzera kweFTP, saka SFTP iprotocol yakaparadzana uye isina hukama inoshandisa SSH (Secure Shell) sehwaro hwayo.

Yakachengeteka goko

Iyo protocol yakagadzirwa nerimwe remapoka eIETF anonzi Secsh. Zvinyorwa zvekushanda zveiyo SFTP protocol hazvina kuzove chiyero chepamutemo, asi chakatanga kushandiswa zvine mutsindo pakuvandudza application. Zvadaro, shanduro nhanhatu dzeprotocol dzakaburitswa. Zvisinei, kuwedzera zvishoma nezvishoma mukushanda mairi kwakatungamirira kukuti musi waAugust 14, 2006, zvakasarudzwa kuti zvirege kushanda pakugadzirwa kweprotocol nekuda kwekupedzwa kwebasa guru repurojekiti (SSH development) uye kushaya simba. yenzvimbo yakakwana yenyanzvi kuti ienderere mberi pakuvandudzwa kweiyo yakazara-remote file system protocol .

SSH itiweki protocol inobvumira kure kure kweiyo inoshanda sisitimu uye tunnel yeTCP yekubatanidza (semuenzaniso, yekufambisa faira). Zvakafanana mukushanda kune Telnet uye rlogin protocol, asi, kusiyana navo, inovharira traffic yese, kusanganisira inotumirwa mapassword. SSH inobvumira sarudzo yeakasiyana encryption algorithms. SSH vatengi uye SSH maseva anowanikwa kune mazhinji network anoshanda masisitimu.

SSH inobvumidza iwe kuendesa zvakachengeteka chero chero imwe network protocol munzvimbo isina kuchengetedzwa. Nekudaro, haugone kungoshanda uri kure pakombuta yako kuburikidza negomba rekuraira, asi zvakare fambisa odhiyo rwizi kana vhidhiyo (semuenzaniso, kubva pawebhu kamera) pamusoro peiyo encrypted chiteshi. SSH inogona zvakare kushandisa kudzvanywa kwe data yakatumirwa kune inotevera encryption, iri nyore, semuenzaniso, kuvhura kure X WindowSystem vatengi.

Shanduro yekutanga yeprotocol, SSH-1, yakagadzirwa muna 1995 nemuongorori Tatu Ulönen kubva kuHelsinki University of Technology (Finland). SSH-1 yakanyorwa kuti ipe kuvanzika kukuru kupfuura iyo rlogin, telnet, uye rsh protocol. Muna 1996, imwe shanduro yakachengeteka yeprotocol, SSH-2, yakagadziridzwa, iyo isingaenderani neSSH-1. Iyo protocol yakawedzera kufarirwa, uye pakazosvika 2000 yaive nevashandisi vangangoita mamirioni maviri. Parizvino, izwi rekuti "SSH" rinowanzoreva SSH-2, nekuti Iyo yekutanga vhezheni yeprotocol ikozvino haisati yashandiswa nekuda kwekukanganisa kukuru. Muna 2006, iyo protocol yakabvumidzwa neIETF inoshanda boka seInternet standard.

Pane maviri akajairwa kuita kweSSH: yakavanzika yekutengesa uye yemahara yakavhurika sosi. Iko kushandiswa kwemahara kunonzi OpenSSH. Pakazosvika 2006, 80% yemakomputa paInternet akashandisa OpenSSH. Kuitwa kwevaridzi kunogadzirwa neSSH Communications Security, inotsigirwa neTectia Corporation, uye ndeyemahara kushandiswa kusiri kwekutengesa. Aya mashandisirwo ane dzinenge dzakafanana seti yemirairo.

Iyo SSH-2 protocol, kusiyana neiyo telnet protocol, inoshingirira kurwiswa kwetraffic eavesdropping ("kufemba"), asi haimirire kurwiswa kwemunhu-pakati. Iyo SSH-2 protocol zvakare inopokana nesesheni yekubira kurwiswa, sezvo zvisingaite kujoinha kana kubira chikamu chakatogadzirwa.

Kuti udzivise kurwiswa kwemurume-mukati-kati kana uchibatanidza kune mugamuchiri ane kiyi yake isati yazivikanwa kumutengi, software yemutengi inoratidza mushandisi "kiyi yemunwe". Zvinokurudzirwa kunyatsotarisa "kiyi snapshot" inoratidzwa nemutengi software ine server kiyi snapshot, zviri nani kuwanikwa kuburikidza neakavimbika nzira dzekutaurirana kana mumunhu.

SSH rutsigiro inowanikwa pane ese UNIX-senge masisitimu, uye mazhinji ane ssh mutengi uye server seyakajairwa zvinoshandiswa. Kune akawanda mashandisirwo eSSH vatengi kune asiri eUNIX OSes. Iyo protocol yakawana mukurumbira mukuru mushure mekupararira kwakapararira kwevaongorori vemigwagwa uye nzira dzekuvhiringidza kushanda kwenzvimbo dzemambure, seimwe sarudzo kune isina kuchengeteka Telnet protocol yekutarisira yakakosha node.

Kukurukurirana uchishandisa SSH

Kuti ushande kuburikidza neSSH, unoda SSH server uye SSH mutengi. Sevha inoteerera yekubatanidza kubva kumakina evatengi uye, kana kubatana kwatangwa, kunoita huchokwadi, mushure mezvo inotanga kushandira mutengi. Mutengi anoshandiswa kupinda mumuchina uri kure uye kuita mirairo.

Kuenzanisa neFTPS

Chinhu chikuru chinosiyanisa SFTP kubva kune yakajairwa FTP neFTPS ndechekuti SFTP inovhara zvachose mirairo yese, mazita ekushandisa, mapassword uye rumwe ruzivo rwakavanzika.

Ose ari maviri FTPS uye SFTP maprotocol anoshandisa musanganiswa weasymmetric algorithms (RSA, DSA), symmetric algorithms (DES/3DES, AES, Twhofish, nezvimwewo), pamwe chete nekiyi yekutsinhana algorithm. Nekuda kwehuchokwadi, FTPS (kana kunyatsojeka, SSL/TLS pamusoro peFTP) inoshandisa X.509 zvitupa, nepo SFTP (SSH protocol) inoshandisa makiyi eSSH.

Zvitupa zve X.509 zvinosanganisira kiyi yeruzhinji nerumwe ruzivo nezve chitupa chemuridzi. Ruzivo urwu runobvumira, kune rumwe rutivi, kuratidza kuvimbika kwechitupa pachacho, huchokwadi uye muridzi wechitupa. X.509 zvitupa zvine kiyi yakavanzika inowirirana, iyo inowanzochengetwa yakaparadzana kubva pachitupa nezvikonzero zvekuchengetedza.

Iyo SSH kiyi ine chete kiyi yeruzhinji (inoenderana yakavanzika kiyi inochengetwa yakaparadzana). Haina chero ruzivo nezvemuridzi wekiyi. Mamwe maSSH ekushandisa anoshandisa zvitupa zve X.509 zveuchokwadi, asi hazvinyatso tsigisa cheni yese yechitupa — kiyi yeruzhinji ndiyo inoshandiswa (izvo zvinoita kuti humbowo husakwane).

mhedziso

Iyo FTP protocol pasina mubvunzo ichiri kuita basa rakakosha mukuchengetedza uye kugovera ruzivo pane network zvisinei nezera rayo rinoremekedzwa. Iyo iri nyore, inoshanda uye yakamisikidzwa protocol. Mazhinji mafaira akachengetwa akavakwa pahwaro hwayo, pasina iro basa rehunyanzvi raisazoshanda zvakadaro. Mukuwedzera, zviri nyore kumisikidza, uye sevha uye zvirongwa zvevatengi zviripo kune angangoita ese azvino uye kwete mapuratifomu azvino.

Nekudaro, shanduro dzayo dzakadzivirirwa dzinogadzirisa dambudziko rekuvanzika kwe data rakachengetwa uye rakafambiswa munyika yanhasi. Ose maprotocol matsva ane zvayakanakira nezvayakaipira uye anoshanda zvishoma zvakasiyana mabasa. Munzvimbo idzo dzinodiwa faira rekuchengetedza, zviri nani kushandisa FTPS, kunyanya kana yekirasi FTP yakatoshandiswa ipapo. SFTP haina kunyanya kuwanda nekuda kwekusawirirana kwayo neprotocol yekare, asi yakachengeteka zvakanyanya uye ine mamwe mabasa, sezvo iri chikamu cheiyo kure manejimendi system.

Rondedzero yezvinyorwa

• Abstract "FTP protocol. General ruzivo uye maitiro"
• Abstract "SSH, CMIP, Telnet protocol"
• Report "SSL/TLS"

Source: www.habr.com