Hi, I would like to prevent clients from sending their passwords in clear text when connecting to the Apache FTP server. For this reason I have initially configured the Apache FTP server to run in Implicit FTPS mode. It works similarly as HTTPS providing that both clients know the connection is encrypted. However, the implicit SSL mode seems to be non-standard and some FTP clients do not support it out of the box.
To extend the supported set of FTP clients I would like to switch from Implicit to Explicit FTPS. In this mode the clients have to issue an AUTH command before any trasmission of sensitive data (e.g. passwords) has taken place. If the clients forget to issue an AUTH command the data will be transmited without encryption. My question is: Can we protected the passwords of our users with Explicit FTPS ? Perhaps by closing the connection if the first command coming from the client is *not* AUTH ? Do you know of any better options to avoid plain-text passwords from being sent ? If there is no existing solution, what needs to be done to implement one ? thanks for your help, Kaloyan
