Hi, thanks a lot for your replies.
David, I will give your proposal a try. have a nice weekend, Kaloyan On Sat, Oct 1, 2011 at 10:22 AM, David Latorre <[email protected]> wrote: > I don't have access to my working code right now nor I have tested this, > but > you should basically do something like this: > > public FtpletResult beforeCommand(FtpSession session, FtpRequest request) > throws FtpException, IOException { > > String cmd = request.getCommand().toUpperCase(); > if ("USER".equals(cmd)) { > if (!session.isSecure()) { > session.write(new DefaultFtpReply(500, "Control channel is > not secure. Please, issue AUTH command first.")); > return FtpletResult.SKIP; > } > > } > > } > > If your client ignored the "5xx" error and still issued the PASS command > (in plaintext), you should return in this method FtpletResult.DISCONNECT > so they don' t get a chance to 'leak' the password. > > > > > > > > > 2011/10/1 Niklas Gustavsson <[email protected]> > > > On Fri, Sep 30, 2011 at 1:51 PM, Kaloyan Enimanev <[email protected]> > > wrote: > > > My question is: Can we protected the passwords of our users with > > > Explicit FTPS ? Perhaps by closing the connection if the first > > > command coming from the client is *not* AUTH ? Do you know of > > > any better options to avoid plain-text passwords from being sent ? > > > > > > If there is no existing solution, what needs to be done to implement > one > > ? > > > > FtpServer does not support this out of the box, but I know people has > > implemented the same thing using Ftplets. Perhaps someone is around > > here which can help you out with some existing code. > > > > /niklas > > >
