Hi,

 I would like to prevent clients from sending their passwords in
 clear text when connecting to the Apache FTP server. For this
 reason I have initially configured the Apache FTP server to
 run in Implicit FTPS mode. It works similarly as HTTPS providing
 that both clients know the connection is encrypted. However, the
 implicit SSL mode seems to be non-standard and some FTP clients
 do not support it out of the box.

 To extend the supported set of FTP clients I would like to switch
 from Implicit to Explicit FTPS. In this mode the clients have to
 issue an AUTH command before any trasmission of sensitive data
 (e.g. passwords) has taken place. If the clients forget to issue
 an AUTH command the data will be transmited without encryption.

 My question is: Can we protected the passwords of our users with
 Explicit FTPS ? Perhaps by closing the connection if the first
 command coming from the client is *not* AUTH ? Do you know of
 any better options to avoid plain-text passwords from being sent ?

 If there is no existing solution, what needs to be done to implement one ?


thanks for your help,
   Kaloyan

Reply via email to