On Tue, 2 Aug 2005 01:10:42 +0200 (CEST), [EMAIL PROTECTED] wrote: >> On Tue, 2 Aug 2005 00:23:48 +0200 (CEST), [EMAIL PROTECTED] >> wrote: >> >>>> On Mon, 1 Aug 2005 12:49:49 -0500, "Bob Bostwick \(Lists\)" >>>> <[EMAIL PROTECTED]> wrote: >>>> >>>>> I am implementing an FTP server and need it to use SSL/TLS. I >>>>>know ftpd doesn't support this, and was wondering if anyone had any >>>>>suggestions on an alternative. I know SFTP exists, but that is not an >>>>>option, as the clients are not going to change. I know pure-ftpd >>>>>supports this, but didn't know if there was anything better or not. >>>> >>>> As you already seem to know, the best answer is to use something >>>> that's reasonably secure like SFTP. >>>> >>>> Since FTP over SSL/TLS is going to require configuration changes on >>>> the client side and possibly upgrades of client-side software, why not >>>> just require a new client that supports SFTP? >>>> >>>> There are free SFTP clients out there for most platforms, heck there's >>>> even at least one free client for MS-Windows (FileZilla on sourceforge >>>> comes to mind). >>>> >>>> You're talking about hanging yet another box on the net supporting an >>>> outdated, insecure and most importantly, difficult (often blocked or >>>> messed up by NAT) protocol. Wrapping FTP in SSL/TLS dose help some of >>>> the problems but it does not solve all of them. >>>> >>>> Kind Regards, >>>> JCR >>> >>>I'm sorry but there's no e.g. official "AnnonSFTP"-Patch/Modification for >>>OpenSSH. As far as I know you're not able to splitt the SFTP from the >>>SSH-Account (I don't mention any unofficial Patchs wich may work). >>> >>>That's why FTPS-Servers, or at least FTP-Servers wich support SSL/TLS, >>> are >>>still in use. The best example is maybe the AnonCVS-"Hack" you've to >>> apply >>>if you wanna set up an AnonCVS-Server. >>>So as far as I know every SFTP-User needs an SSH-Account. >>>FTP-Servers have offen a seperated Account-File wich isn't related to the >>>official System-Accounts at the Server. >>> >>>Kind regards, >>>Sebastian >> >> Thanks Sebastian. You stated important info that I failed to mention. >> >> I don't mean to be confrontational but personally I didn't think there >> was any point in securing anon/public access? >> >> Since the original poster is trying to secure logins, anon/public >> access is kind of outside of the scope -probably the reason why I >> forgot to mention the ssh accounts. ;-) >> >> JCR > >Yes but why shouldn't "we" secure anonymous-connections also? >Or if I do e.g. a little Webhosting Service. I wont give my users an SSH >so I've to choose FTPS even it's not as secure as SFTP. > >So it dosn't just deal with anonymous connections. > >Kind regards, >Sebastian
Now you've got me kind of curious about the unofficial ssh "hacks" you mentioned. ;-) It would be sweet if "we" could just simply set the users shell to usr/bin/false to prevent ssh while still allowing scp/sftp. I've got a hunch doing this involves non-trival code changes. JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
