Trying to use curl to connect to a FTPS server that requires a digital cert for client auth. Cannot get it to work. Any experts?
any experts out there who are using curl?
- Thread starter Donald
- Start date
Does the SFTP server already have your public ssh key?
I use curl daily, but not using client auth. My best guess would be to use the (opens a terminal, types... )
--key and --pubkey options; maybe something like (presuming you're using Linux or Mac and your ssh keys would be in ~/.ssh - substitute the path(s) as needed):
If scp and/ or rsync are options they might work well, too. I know that if I had to supply my ssh key and presumed a server to have my public key I would use either of those two before curl every time.
I use curl daily, but not using client auth. My best guess would be to use the (opens a terminal, types... )
Code:
curl --help
Bash:
curl -u $YOUR_USER_NAME: --key ~/.ssh/$YOUR_SSH_KEY --pubkey ~/.ssh/$YOUR_PUBLIC_KEY.pub sftp://$HOST/$PATHIf scp and/ or rsync are options they might work well, too. I know that if I had to supply my ssh key and presumed a server to have my public key I would use either of those two before curl every time.
Last edited:
Try using Putty's SFTP client. I've never used Curl for anything
This is FTPS not SFTP. Not SSH based. The people who want to use this run Linux and they use curl so I need to test with curl.
The goal is to use a personal cert on the client for authentication and eliminate requiring a PW. I have it working from a FTPS client but not from a curl client.
The goal is to use a personal cert on the client for authentication and eliminate requiring a PW. I have it working from a FTPS client but not from a curl client.
Sorry! I just Googled and came up with this:
Code:
curl -v --user --ftp-ssl --ftp-ssl-reqd --ftp-pasv --disable-epsv --key mykey.pem --cert mycert.crt -T pubkey.txt ftp:///It looks like there are just a few more ftps-related options necessary and a path to your files in place of "mykey.pem", etc.
I am not sure this command will actually work. I do not understand the "-T" option. The file pubkey.txt are (most likely) the root and intermediate public keys needed to validate the server cert. "-T" is for a transfer. I think it should be --cacert pubkey.txt.
I also think if the PW is not specified then it will prompt for a PW.
I have tried many variations of the above command + options and have not gotten it to work yet.
when I use a cert I use
curl --cacert /path/to/my/cert/ca.pem https: //url
curl --header 'host: www.mysite.com --cacert /path/to/my/cert/ca.pem https://url or ip/file.gz
Can also try curl -k --header 'host: www.mysite.com' -I https://ipaddr/file
This is what I use to move a file off my server you could modify to sftp as needed
Edit: ok thinking about this not sure it will work with sftp, I'm going to give it a try later if I have time
Edit some more. I missed this is sftp Also upon thinking is this a self signed cert? If so it's not really valid as it breaks the trust chain, you will have to use the -k option but that kind of defeats the purpose of the cert to begin with.
Could you give some output of the command as you run it? Might be easier to fix if we can see what it is complaining about.
curl --cacert /path/to/my/cert/ca.pem https: //url
curl --header 'host: www.mysite.com --cacert /path/to/my/cert/ca.pem https://url or ip/file.gz
Can also try curl -k --header 'host: www.mysite.com' -I https://ipaddr/file
This is what I use to move a file off my server you could modify to sftp as needed
Edit: ok thinking about this not sure it will work with sftp, I'm going to give it a try later if I have time
Edit some more. I missed this is sftp Also upon thinking is this a self signed cert? If so it's not really valid as it breaks the trust chain, you will have to use the -k option but that kind of defeats the purpose of the cert to begin with.
Could you give some output of the command as you run it? Might be easier to fix if we can see what it is complaining about.
Last edited:
OT: Since Donald has indicated he is from the MF world I would indicate that the MF at our site has a very limited toolkit of secure protocols. Very good chance he cannot change the methodology of transferring the info We have even implemented a MF to linux server interface to transfer stuff off a MF so that other more flexible tools can be used to interface with other systems. JMO.
I need to use FTPS. Cannot use SFTP (SSH). The personal cert is properly signed. I avoid self signed certs like the plague.
Do you have the outputs from the commands you have tried?
The first issue is it prompts for a host password. The who point here is to use client auth and eliminate the password.
After I see the "connected to hostxxx.com msg"
AUTH SSL
RECV Failure: connection was reset.
Last edited:
The FTPS server has "SECURE_LOGON REQUIRED" and "SECURE_PASSWORD OPTIONAL" meaning client auth is required and a PW is optional.
I have done more testing and changed the FTPS server back to server auth. It looks like curl is not using the CA certs I supply via --CACERT option.
I have done a lot more testing. What I have discovered is curl is likely to use certificates in the Windows cert stor and ignore what I specify. No indication that curl is ignoring what I specified or had an error with a cert I specified.
Similar threads
