Hi,

  thanks a lot for your replies.

  David, I will give your proposal a try.

have a nice weekend,
  Kaloyan

On Sat, Oct 1, 2011 at 10:22 AM, David Latorre <[email protected]> wrote:

> I don't have access to my working code right now nor I have tested this,
> but
> you should basically  do something like this:
>
>  public FtpletResult beforeCommand(FtpSession session, FtpRequest request)
>            throws FtpException, IOException {
>
>        String cmd = request.getCommand().toUpperCase();
>        if ("USER".equals(cmd)) {
>            if (!session.isSecure()) {
>                session.write(new DefaultFtpReply(500, "Control channel is
> not secure. Please,  issue AUTH command first."));
>                return FtpletResult.SKIP;
>            }
>
> }
>
>  }
>
>  If your client ignored the "5xx" error and still issued the PASS command
> (in plaintext), you   should return in this method FtpletResult.DISCONNECT
> so they don' t get a chance to 'leak' the password.
>
>
>
>
>
>
>
>
> 2011/10/1 Niklas Gustavsson <[email protected]>
>
> > On Fri, Sep 30, 2011 at 1:51 PM, Kaloyan Enimanev <[email protected]>
> > wrote:
> > >  My question is: Can we protected the passwords of our users with
> > >  Explicit FTPS ? Perhaps by closing the connection if the first
> > >  command coming from the client is *not* AUTH ? Do you know of
> > >  any better options to avoid plain-text passwords from being sent ?
> > >
> > >  If there is no existing solution, what needs to be done to implement
> one
> > ?
> >
> > FtpServer does not support this out of the box, but I know people has
> > implemented the same thing using Ftplets. Perhaps someone is around
> > here which can help you out with some existing code.
> >
> > /niklas
> >
>

Reply via email to