On 09.05.2015 21:50, Shawn Heisey wrote: > On 5/9/2015 11:43 AM, Dennis Jacobfeuerborn wrote: >> Most FTP clients these days support SFTP as well and if you use say >> proftpd+mod_sftp then handling SFTP on the server side become pretty >> much identical to handling FTP (except all that active/passive nonsense >> goes away an nobody can simply sniff passwords on the wire). > > There are dozens of clients out there among our customer base, many of > which have been using the same software for the last ten years or more, > and most of that old software is probably written by an internal > developer that quit years ago, not an off-the-shelf FTP/SFTP client. > > When we finally manage to get a server for SFTP installed, we can ask > our clients to switch, but I'm sure many of them will think we're insane.
Yes with these kinds of legacy clients there is little one can do since their requirements are their requirements and that's that. I've seen plenty of admins who still hand out FTP accounts simply because "that's how it has always been done" thus keeping these outdated protocols alive artificially. When I talk to customers and they ask for FTP I simply offer them SFTP instead which is more secure and the usually accept it right away. > I will look into the sftp module for proftpd. Hopefully that will be > easier to secure than openssh. It can be tricky to make sure clients > don't get shell access and are chrooted into their home directory when > using openssh. It's not impossible, just challenging. I consider openssh for sftp pretty much unusable for clients/customers. Since I setup 99% of account with chroots the mere fact that one has to create a proper jail and then confine a user to a sub-directory of their home directory for security reason makes this way to much of a pain in the behind. With mod_sftp you create an empty home directory for that user and then tell proftpd to chroot users to their home directory and you are done. No building of jails and thus *way* easier to deal with. Regards, Dennis
