RFC2228-only FTP ?

[cls-du]

I shut off FTP access in January and lost about 10% of my
Web-hosting users.  It seems almost all of them 
are on MS-Windows, and they have ongoing problems with
their SSH/SFTP clients WinSCP[23] and psftp.exe.
I don't want to bring back plain-old FTP because of
the clear text password problem.
But most of these people have commercial Windoze FTP clients
that support some flavor of RFC2228 FTP security extensions.
Of course, they are not technical and do not know which
extensions they can use.  All they know is someone sold them
a secure FTP program and they can't understand why I want them
to dump it and use the known-to-be-broken WinSCP instead.

Is there an FTP server in woody that I can configure to
refuse plain-old FTP but allow those clients who do
an FTP AUTH before an FTP PASS ?  That is, I want to hang
up on FTP clients that don't offer AUTH before they expose
a password.  Then I want to authorize those FTP users
whose clients know how to do the defacto standard
encrypted login.  I'm not concerned about man-in-the-middle
attacks; I just want to defeat evesdroppers observing
clear text passwords.

Has anyone here done it?  What did you use?


TIA

Cameron



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: RFC2228-only FTP ?

[cls-du]

I wrote:
All they know is someone sold them
 a secure FTP program and they can't understand why I want them
 to dump it and use the known-to-be-broken WinSCP instead.

Alex replied:
Whats broken in winscp?  Its working fine for about 400 clients here


I don't have any MS-Windows boxes to test it with, so this
is all second hand.
My users complain about WinSCP all the time.  The #1 issue is
it seems to come up with weird file permission defaults.
Mostly they are uploading HTML files to a Web server, and
it turns off other-read permission.  Or it turns off
other-execute on directories, so the Web server can't see
inside them.

There was an issue with WinSCP not really using SSH2's SFTP,
but simulating it with some kind of shell stuff.  So your users
need a shell or they can't use it.  I'd like to give some
of them /bin/true and just let them upload files but not
run any commands.  I see that has been fixed in WinSCP3.

But the biggest reason people want to use FTP-with-extensions
is it is built into Dreamweaver and Go Live and Front Page,
and those industry standard programs don't seem to
support SSH2/SFTP.  Probably for ideological or monopoly
enforcement reasons, but that doesn't matter.

I don't want to argue with my users about what software they
use on their client boxes.  They all know Microsoft sucks and
they are planning on getting off it someday.  But meanwhile
they are all very busy and just want to use the same tools
they can use with commercial Web hosting companies.
If I tell them Debian can't support FTP-with-extensions,
they will conclude that Debian is inferior to commercial
hosting environements.  I have lost about 5% of my users over this,
they do not want to use SSH, they want to use integrated
Web-authoring software with built in publish features that
use FTP or DAV.  But many of them are on cable modem so I have to
prevent them from using FTP with clear text passwords.

The fact is that FTP with security extensions is the
defacto standard way of solving the clear text password
exposure problem in the commercial Web hosting world.
Millions of people use it.  SSH2/SFTP may be technologically
superior, but it is not what most places use.  If you go to
Barns and Noble or some other large bookstore you will find
dozens and dozens of beginners' books about Web authoring.
They all describe the process of uploading files through
FTP or DAV.  Hardly any of them mention SSH2/SFTP at all.


Cameron



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: tping - tool for connectivity testing

[cls-du]

apt-get install tcptraceroute
man tcptraceroute

Very often spammers' Web servers drop ICMP and can't be
pinged or tracerouted.  They can hide from tcptraceroute
but it's harder.


Cameron


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Debian-based hosting needed

[cls-du]

I'm currently moving my colo'd web/email/etc stuff to a box hosted by
serverbeach.com.

[cheap, big transfer allotment]

Before you go, Google for serverbeach in news.admin.net-abuse.email.
They seem to have a bit of an abuse problem over there.
They seem to be downstream from Swbell/SBC, in the middle of an ADSL pool.
I blocked the whole thing; Swbell has an abuse problem too.
You might have trouble sending email out of there.


Cameron



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]