Re: Proftpd+SSL/TLS!!!
On Fri, 02 Aug 2002 at 17:43:43 +1200, Dave Watkins wrote: > > Sorry if this has been said. I haven't been following the thread, but why > not setup stunnel and run proftpd through that? I've done it here for mail > and it works great (even with qmail and daemontools), so I see no reason > why you couldn't do the same for FTP Unfortunately, FTP can't cooperate with stunnel. As FAQ says ( http://www.stunnel.org/faq/troubleshooting.html#ToC14 ): FTP over Stunnel won't work I just can't get ftp to work over Stunnel no matter how hard I try. Answer: Stunnel cannot be used for the FTP daemon because of the nature of the FTP protocol which utilizes multiple ports for data transfers. There are SSL aware FTP servers available. Alternitively you could use a different protocol. All versions of SSH include a program called scp which works like rcp. Recent versions of OpenSSH include a program called sftp which has an ftp-like feel. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: Proftpd+SSL/TLS!!!
Hi, Sorry if this has been said. I haven't been following the thread, but why not setup stunnel and run proftpd through that? I've done it here for mail and it works great (even with qmail and daemontools), so I see no reason why you couldn't do the same for FTP Dave At 14:32 1/08/2002 +0200, Jones Down wrote: Hi, > Does anyone knows Proftpd+SSL/TLS was official idea from Proftpd It´s something I absolutely don´t understand: the developers of proftpd are not supporting this, don´t ask me why, it´s a real problem... unfortunately I am no C-Coder, so I would do it myself...*sigh* ... proftpd has really nice features (mysql lookup e.g.), but NO SSL, and theres no ssl on the roadmap. > Anyone got ideas as to the nature/solution of this problem? ;-) Well you could do a apt-get install ftpd-ssl but then you do not have all that nice advanced features of proftpd, afaik no mysql-backend. Also there is one bsd-ftp that can be found here: http://bsdftpd-ssl.sc.ru/ it uses pam for authentication, so somehow also keeping your users in a mysql-db should be possible, but I didn´t get it to work. My alternative is to use ssh, there is a really beatiful win-prog to use scp, looks like mc, can be found here: http://winscp.vse.cz/eng/ but then again you should setup a chroot environment, because it´s still not possible to restrict access to a directory with ssh as tight as with some ftp-servers, because ssh needs some libraries and stuff, so there will be always more then just one upload-dir to see for the users. Also don´t forget, that with ssh you users have a full shell account, so building that jail should be done with real care. In most cases it´s more than you want to give them - what again makes me cry about missing ssl in proftpd :( generally I also really would be happy, if one of the "big boys" could tell us how to do it and which tools to setup, to get a secure ftpd. A nice solution would be to have mysql-backed virtual users for ease of administration. Have a nice day, Jones -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Proftpd+SSL/TLS!!!
Hello! On Thu, Aug 01, 2002 at 02:32:01PM +0200, Jones Down wrote: ... > My alternative is to use ssh, there is a really beatiful win-prog to > use scp, looks like mc, can be found here: > > http://winscp.vse.cz/eng/ > > but then again you should setup a chroot environment, because it´s > still not possible to restrict access to a directory with ssh as > tight as with some ftp-servers, because ssh needs some libraries and > stuff, so there will be always more then just one upload-dir to see > for the users. Also don´t forget, that with ssh you users have a full > shell account, so building that jail should be done with real care. In > most cases it´s more than you want to give them - what again makes me > cry about missing ssl in proftpd :( ... Ssh version 2 allows you to restrict access to an account, to only use on specific command, via the private/public key. There is on example I know of: "anonymous access to CVS via ssh", which could be used as a reference, search for it at the CVS sites. This enforces you to use public/private keys, which is good practice anyway. You can issue/setup personal keys for individual users, and you can generate a key for "anonymous" access, which is a small file (the key) which you put publicly on a web page and anyone who wants to access your repository downloads the file and tells it's secure-shell client to use it as ID when to connect to the server. I have read once, that the ftp-subsystem of SSH (sftp) opens security wholes, but do not know why, I leave it disabled in my setups. On the other hand, there is stunnel, which allows you to create an ssl tunnel for any server/client pair. If this is not possible for proftpd for any tecnical reason don't tell me, I don't install ftp servers. Best Regards, Jorge-León
Re: Proftpd+SSL/TLS!!!
Hi, > Does anyone knows Proftpd+SSL/TLS was official idea from Proftpd It´s something I absolutely don´t understand: the developers of proftpd are not supporting this, don´t ask me why, it´s a real problem... unfortunately I am no C-Coder, so I would do it myself...*sigh* ... proftpd has really nice features (mysql lookup e.g.), but NO SSL, and theres no ssl on the roadmap. > Anyone got ideas as to the nature/solution of this problem? ;-) Well you could do a apt-get install ftpd-ssl but then you do not have all that nice advanced features of proftpd, afaik no mysql-backend. Also there is one bsd-ftp that can be found here: http://bsdftpd-ssl.sc.ru/ it uses pam for authentication, so somehow also keeping your users in a mysql-db should be possible, but I didn´t get it to work. My alternative is to use ssh, there is a really beatiful win-prog to use scp, looks like mc, can be found here: http://winscp.vse.cz/eng/ but then again you should setup a chroot environment, because it´s still not possible to restrict access to a directory with ssh as tight as with some ftp-servers, because ssh needs some libraries and stuff, so there will be always more then just one upload-dir to see for the users. Also don´t forget, that with ssh you users have a full shell account, so building that jail should be done with real care. In most cases it´s more than you want to give them - what again makes me cry about missing ssl in proftpd :( generally I also really would be happy, if one of the "big boys" could tell us how to do it and which tools to setup, to get a secure ftpd. A nice solution would be to have mysql-backed virtual users for ease of administration. Have a nice day, Jones
Re: Proftpd+SSL/TLS!!!
On Wed, Jul 31, 2002 at 03:58:02PM -0700, Angus Scott-Fleming wrote: > There's an easy-to-use Windows client for SCP: WinSCP, google > for it. Don't know of an equivalent for *nix. The secpanel program has a pretty nice interface to scp for linux (it also has some pretty nice site and key management things in it, its a general frontend to ssh). There is also sftp, which is similar to the ftp command. Putty has an implimentation of this for windows, also. -- -><- Nick Rusnov -><- http://nick.industrialmeats.com -><- [EMAIL PROTECTED]/[EMAIL PROTECTED]
Re: Proftpd+SSL/TLS!!!
On 31 Jul 2002 at 16:24, Chris Kenrick wrote: > Other than that, use scp. Unfortunately, most options will involve > some effort/difficulty on the client end. One problem I see with scp: no easy chroot jail, while with ftp I think you can limit the logins to one directory (and down) pretty easily. There's an easy-to-use Windows client for SCP: WinSCP, google for it. Don't know of an equivalent for *nix. Angus S-F - Angus Scott-Fleming GeoApps, Tucson, Arizona [EMAIL PROTECTED] 1-520-290-5038 / fax 1-208-248-3124 -
Re: Proftpd+SSL/TLS!!!
On Wed, Jul 31, 2002 at 01:49:41PM +0800, axacheng wrote: > Hell list : > > Does anyone knows Proftpd+SSL/TLS was official idea from Proftpd > > i wish, my ftp server have to support ssl tunnel to encrypt data that connect > from every client > > Anyone got ideas as to the nature/solution of this problem? ;-) I had to do fairly extensive research into this as part of a former job. Unfortunately, there's not too many options. Nearly every solution has to have non standard clients and servers, which is a pain in the neck. SSL/TLS encryption for FTP is in some RFC somewhere, but only a few clients and servers implement it. One neat trick is some software that works with any FTP client, and intercepts all FTP traffic and encrypts it before sending it upstream. Of course, this requires a software install on the client side, and a special server. http://safetp.cs.berkeley.edu for more details. Other than that, use scp. Unfortunately, most options will involve some effort/difficulty on the client end. - Chris PS: When I did some fairly primitive benchmarking, the SSL/TLS encryption slowed the transfers to about 1/3 of the rate of straight FTP.
