Template Version: @(#)sac_nextcase %I% %G% SMI
This information is Copyright 2008 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Gftp for OpenSolaris
1.2. Name of Document Author/Supplier:
Author: Alfred Peng
1.3 Date of This Document:
18 November, 2008
4. Technical Description
1. Introduction
1.1. Project/Component Working Name:
gFTP: multithreaded file transfer client.
1.2. Name of Document Author/Supplier:
Alfred Peng
1.3. Date of This Document:
11/04/08
1.3.1. Date this project was conceived:
12/14/1997
1.4. Name of Major Document Customer(s)/Consumer(s):
1.4.1. The PAC or CPT you expect to review your project:
Solaris PAC
1.4.2. The ARC(s) you expect to review your project:
LSARC
1.4.3. The Director/VP who is "Sponsoring" this project:
robert.odea at sun.com
1.4.4. The name of your business unit:
New Solaris Group, Desktop
1.5. Email Aliases:
1.5.1. Responsible Manager:
leo.binchy at sun.com
1.5.2. Responsible Engineer:
alfred.peng at sun.com
1.5.3. Marketing Manager:
glynn.foster at sun.com
1.5.4. Interest List:
desktop-discuss at opensolaris.org
4. Technical Description:
4.1. Details:
gFTP is a multithreaded file transfer client for *NIX based machines.
It has the following features:
* Supports the FTP, FTPS (control connection only), HTTP, HTTPS, SSH
and FSP protocols.
* FTP and HTTP proxy server support.
* Supports FXP file transfers which is a subset of FTP protocol.
* Bookmarks menu to quickly connect to remote sites.
* Internationalized to 41 languages.
* Double-paned layout to show the local and remote filesystems.
* Transfer pane to show the real-time status of each queued or active
file transfer.
* Log pane to display the text commands and responses between gFTP
and the remote server.
4.2. Bug/RFE Number(s):
None.
4.3. In Scope:
See above.
4.4. Out of Scope:
See above.
4.5. Interfaces:
Exported Interface
--------------------------------------------------------------------
Interface Name Classification Comment
--------------------------------------------------------------------
SUNWgftp Uncommitted Package name
/usr/bin/gftp Volatile gFTP launch
script
/usr/bin/gftp-gtk Volatile gFTP GUI
/usr/bin/gftp-text Volatile gFTP CLI
$HOME/.gftp Project Private Profile
/usr/share/gftp Project Private Directory
/usr/share/doc/SUNWgftp Project Private Copyright
directory
/usr/share/applications/gftp.desktop Volatile UI spec
Imported Interface
--------------------------------------------------------------------
Interface Classification ARC case Comment
--------------------------------------------------------------------
GNOME Platform Committed LSARC/2008/207 GTK+ library
Libraries GNOME 2.22
SSH Committed PSARC/2001/212 Secure Shell
OpenSSL Volatile PSARC/2006/019 OpenSSL library
4.6. Doc Impact:
New manpage, gftp.1.
4.7. Admin/Config Impact:
None.
4.8. HA Impact:
None.
4.9. I18N/L10N Impact:
The JDS team and the G11N are working together to evaluate and
provide I18N/L10N support.
4.10. Packaging & Delivery:
Adds new package, SUNWgftp
4.11. Security Impact:
gFTP uses OpenSSL library to encrypt the control and data channels
for file transfer over HTTPS, and to encrypt the contol channel for
FTPS. It creates socket BIO to handle SSL connections transparently.
A handshake will be performed to verify server's certificate after
the connection is established. The certificate verification will be
with mode SSL_VERIFY_PEER and depth 9. It doesn't use the SSLv2
protocol and the list of available ciphers will be set to
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
To support SSH protocol, gFTP uses ssh/sftp commands to build up
connection with the server. The authentication information will be
sent over the SSH connection. All the following requests and responses
will go back and forth through this connection for secure file transfer.
gFTP uses socket to transfer file by FTP and HTTP protocol. The
password will be encoded with standard base64 for HTTP authentication.
As for FTP authentication, the password will be sent in plain text
through socket.
gFTP includes a feature that allows user to save passwords. The
password will be saved in the gFTP profile directory. This will
create a potential security vulnerabilty because gFTP only has very
primary encryption/decryption to make the stored passwords unreadable.
Each character is separated in two nibbles. Then each nibble is stored
under the form 01xxxx01. The resulted string is prefixed by a '$'.
e.12. Dependencies:
The following versions of the imported interfaces are required:
GNOME 2.22 Upwards
OpenSSL, SSH
5. Reference Documents:
[1] gFTP homepage:
http://www.gftp.org
[2] Related ARC cases:
LSARC 2008/207: GNOME 2.22
PSARC/2006/019: OpenSSL upgrade to 0.9.8a
PSARC/2001/212: Secure Shell
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
Desktop
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
