Automating Secure FTP Downloads With Kermit

If you need to automate FTP downloads, and want lots of flexibility, an oldie but goodie is Kermit. I know what you’re thinking: “Hey, isn’t Kermit an old DOS comms program?”. Yes, it is a very old program. The cool thing about this, though, is that if you need to automate file transfers, it has virtually every option you can imagine, including the old school abilities like xmodem. For FTP transfer, Kermit supports Kerberos 4, GSSAPI Kerberos 5, SRP, and SSL/TLS. The scripting language, unfortunately, is unique. This is because Kermit is so old that it predates Perl (PHP… heh). I’m not sure why the perl/cpan folks would want to recreate the legacy stuff that Kermit provides, since Kermit does it so well. Further, there is a wide array of binaries available here. Our system, though, is standard GNU/Linux, so we can compile from source easily. You can grab the source from here. To get FTP with SSL/TLS support running, we need to specify openssl on the command line when we run make:

root@wrk-1 cku # make linux+openssl
Making C-Kermit "8.0.211" for Linux on i386 with SSL/TLS...
make xermit KTARGET=${KTARGET:-linux+openssl} "CC = gcc" "CC2 = gcc" \
"CFLAGS = -O -funsigned-char -pipe -DPOSIX -DLINUX -DNOCOTFMC \
gcc  -o wermit \
ckcmai.o ckclib.o ckutio.o ckufio.o \
ckcfns.o ckcfn2.o ckcfn3.o ckuxla.o \
ckcpro.o ckucmd.o ckuus2.o ckuus3.o \
ckuus4.o ckuus5.o ckuus6.o ckuus7.o \
ckuusx.o ckuusy.o ckuusr.o ckucns.o \
ckudia.o ckuscr.o ckcnet.o ckusig.o \
ckctel.o ckcuni.o ckupty.o ckcftp.o \
ckuath.o ck_crp.o ck_ssl.o -L/usr/local/ssl/lib \
-lncurses -ltermcap -lssl -lcrypto -lm -lresolv -lcrypt
make[1]: Leaving directory `/usr/local/src/cku'

Let’s install:

root@wrk-1 cku # make install      
Installing C-Kermit version 8.0.211...
C-Kermit version 8.0.211 installed!

Fire up kermit and set TLS:

user1@wrk-1 user1 $ kermit
C-Kermit 8.0.211, 10 Apr 2004, for Linux
Copyright (C) 1985, 2004,
Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/home/user1/) C-Kermit>set ftp authtype tls
(/home/user1/) C-Kermit>ftp
Connected to
TLS accepted as authentication type
Warning: certificate has expired
Certificate Subject=
O=VeriSign, Inc.
OU=Class 3 Public Primary Certification Authority
notAfter=Jan  7 23:59:59 2004 GMT
Continue (Y/N)y
[TLS - RC4-MD5  SSLv3 Kx=RSA  Au=RSA  Enc=RC4(128)  Mac=MD5 
Compression: None
FTP Command channel is Private (encrypted)
FTP Data channel is Private (encrypted)
Name ( 

Notice that the cert for this site has expired. Also notice how complete the information about the connection is. To ignore outdated certificats, use:

set authentication tls verify no

Now that we have our binary working, we can automate the transfers. An excellent reference for this is here. One thing to note, at least with this version of Kermit and some servers, is if you want to force binary transfer, you need to:

ftp type binary

Other ways that are normal for most FTP clients do not appear to work, like binary or even the Kermit option set file type binary.