Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Automating Secure FTP Downloads With Kermit

/ October 3, 2016 — Security

If you need to automate FTP downloads, and want lots of flexibility, an oldie but goodie is Kermit. I know what you’re thinking: “Hey, isn’t Kermit an old DOS comms program?”. Yes, it is a very old program. The cool thing about this, though, is that if you need to automate file transfers, it has virtually every option you can imagine, including the old school abilities like xmodem. For FTP transfer, Kermit supports Kerberos 4, GSSAPI Kerberos 5, SRP, and SSL/TLS. The scripting language, unfortunately, is unique. This is because Kermit is so old that it predates Perl (PHP… heh). I’m not sure why the perl/cpan folks would want to recreate the legacy stuff that Kermit provides, since Kermit does it so well. Further, there is a wide array of binaries available here. Our system, though, is standard GNU/Linux, so we can compile from source easily. You can grab the source from here. To get FTP with SSL/TLS support running, we need to specify openssl on the command line when we run make:

 
root@wrk-1 cku # make linux+openssl
Making C-Kermit "8.0.211" for Linux on i386 with SSL/TLS...
make xermit KTARGET=${KTARGET:-linux+openssl} "CC = gcc" "CC2 = gcc" \
"CFLAGS = -O -funsigned-char -pipe -DPOSIX -DLINUX -DNOCOTFMC \
.
.
.
gcc  -o wermit \
ckcmai.o ckclib.o ckutio.o ckufio.o \
ckcfns.o ckcfn2.o ckcfn3.o ckuxla.o \
ckcpro.o ckucmd.o ckuus2.o ckuus3.o \
ckuus4.o ckuus5.o ckuus6.o ckuus7.o \
ckuusx.o ckuusy.o ckuusr.o ckucns.o \
ckudia.o ckuscr.o ckcnet.o ckusig.o \
ckctel.o ckcuni.o ckupty.o ckcftp.o \
ckuath.o ck_crp.o ck_ssl.o -L/usr/local/ssl/lib \
-lncurses -ltermcap -lssl -lcrypto -lm -lresolv -lcrypt
make[1]: Leaving directory `/usr/local/src/cku'

Let’s install:

root@wrk-1 cku # make install      
Installing C-Kermit version 8.0.211...
DESTDIR=
BINARY=wermit
.
.
.
C-Kermit version 8.0.211 installed!

Fire up kermit and set TLS:

user1@wrk-1 user1 $ kermit
C-Kermit 8.0.211, 10 Apr 2004, for Linux
Copyright (C) 1985, 2004,
Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/home/user1/) C-Kermit>set ftp authtype tls
(/home/user1/) C-Kermit>ftp ftp.sitename.com
Connected to ftp.sitename.com.
TLS accepted as authentication type
Warning: certificate has expired
Certificate Subject=
C=US
O=VeriSign, Inc.
OU=Class 3 Public Primary Certification Authority
notAfter=Jan  7 23:59:59 2004 GMT
Continue (Y/N)y
[TLS - RC4-MD5  SSLv3 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=MD5 
Compression: None
FTP Command channel is Private (encrypted)
FTP Data channel is Private (encrypted)
Name (ftp.sitename.com:user1):

Notice that the cert for this site has expired. Also notice how complete the information about the connection is. To ignore outdated certificats, use:

set authentication tls verify no

Now that we have our binary working, we can automate the transfers. An excellent reference for this is here. One thing to note, at least with this version of Kermit and some servers, is if you want to force binary transfer, you need to:

ftp type binary

Other ways that are normal for most FTP clients do not appear to work, like binary or even the Kermit option set file type binary.

Information

About