With FTP ... just say "no!". 1) many versions of FTP make you system vulnerable to root cracks. 2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port assignments. 3) FTP logins are plain-text. For sharing files, with anonymous users, HTTP is much better (see: http://files.dnso.net)
From: Steven J. Sobol [mailto:sjsobol@NorthShoreTechnologies.net] Sent: Thursday, January 04, 2001 2:35 PM
On Thu, 4 Jan 2001, joshua stein wrote:
Michael Medwid wrote:
Anyone know of an FTP server product that hooks into RADIUS for authentication? NT or Linux?
proftpd has more features, but isn't very stable (and has had a few security problems in the past).
It's much less security-hole-ridden than the godforsaken piece-of-crap copy of wuftpd that ships with many Linux distros (in
1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port assignments.
well...that's not entirely true. you can tunnel the command channel, just not the data channel.
3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec. actually...if you use ipsec, you can get the data protected as well.
For sharing files, with anonymous users, HTTP is much better (see: http://files.dnso.net)
for sharing files with anonymous users, i'll always be using anonftp. -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
scp is also a possibility, its usage is a bit cryptic, but it is an option.. Brian On Fri, 5 Jan 2001, Andrew Brown wrote:
1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port assignments.
well...that's not entirely true. you can tunnel the command channel, just not the data channel.
3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec. actually...if you use ipsec, you can get the data protected as well.
For sharing files, with anonymous users, HTTP is much better (see: http://files.dnso.net)
for sharing files with anonymous users, i'll always be using anonftp.
-- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
"Brian W." wrote:
scp is also a possibility, its usage is a bit cryptic, but it is an option..
SCP works well, and actually, the usage isn't that hard to figure out: scp user@host:/path/to/file user@host:/path/to/file But it requires an active shell account on both ends. Ain't no way I'm granting shell access to anyone who doesn't specifically ask for it. Actually, I'm picky about granting it even to people who DO ask for it. -- Steve Sobol, BOFH, President 888.480.4NET 866.DSL.EXPRESS 216.619.2NET North Shore Technologies Corporation http://NorthShoreTechnologies.net JustTheNet/JustTheNet EXPRESS DSL (ISP Services) http://JustThe.net mailto:sjsobol@NorthShoreTechnologies.net Proud resident of Cleveland, Ohio
[ On Friday, January 5, 2001 at 15:34:59 (-0500), Steve Sobol wrote: ]
Subject: Re: FTP with authentication to RADIUS
SCP works well, and actually, the usage isn't that hard to figure out:
scp user@host:/path/to/file user@host:/path/to/file
Indeed! I don't know what could be any easier. FTP is terribly arcane!
But it requires an active shell account on both ends.
With the basic configuration that's true -- but SSH can be configured in such a way that only one "command" can be run, and with a minor patch to sshd it's possible to set up file transfers only and to not ever allow general shell access. I've done this with rsync so people can update their web sites on production machines while having FTP access only on a less important system, and with a wee bit of innovation it'll work for plain scp too. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
SCP works well, and actually, the usage isn't that hard to figure out:
scp user@host:/path/to/file user@host:/path/to/file
Indeed! I don't know what could be any easier. FTP is terribly arcane!
ftp's not *that* arcane, what with the number of point-n-drool interfaces for it out there (not excluding netscape). scp is arcane for anyone who has not had a unix account long enough to discover it (and/or rcp, if it was or still is enabled when they got there). -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
On Fri, 5 Jan 2001, Andrew Brown wrote:
ftp's not *that* arcane, what with the number of point-n-drool interfaces for it out there (not excluding netscape).
scp is arcane for anyone who has not had a unix account long enough to discover it (and/or rcp, if it was or still is enabled when they got there).
The nicest point+drool interface for scp I've seen is in Nifty Telnet SSH for the mac. Click the "scp" button, pick files or directories for transfer, and type in the remote path (or leave it blank to plop it all in your homedir). Has anyone seen such a beast for windows users? Also Greg (woods@weird.com) mentioned something about setting up sshd to allow users (such as webhosting customers) to transfer stuff via scp without granting shell access. That would be most handy in combination with a decent windows scp client. What I really don't get is why all the telnet/ssh combos have support for file transfers, but it's next to impossible to find a nice free windows ftp client that even does s/key, much less scp... Charles
-- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
scp for windows is available, see http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. putty is a win ssh client, its free but a little too simple for me. pscp is a windoze scp client which I like. Here's the faq, http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html. Bri On Fri, 5 Jan 2001, Charles Sprickman wrote:
On Fri, 5 Jan 2001, Andrew Brown wrote:
ftp's not *that* arcane, what with the number of point-n-drool interfaces for it out there (not excluding netscape).
scp is arcane for anyone who has not had a unix account long enough to discover it (and/or rcp, if it was or still is enabled when they got there).
The nicest point+drool interface for scp I've seen is in Nifty Telnet SSH for the mac. Click the "scp" button, pick files or directories for transfer, and type in the remote path (or leave it blank to plop it all in your homedir).
Has anyone seen such a beast for windows users?
Also Greg (woods@weird.com) mentioned something about setting up sshd to allow users (such as webhosting customers) to transfer stuff via scp without granting shell access. That would be most handy in combination with a decent windows scp client.
What I really don't get is why all the telnet/ssh combos have support for file transfers, but it's next to impossible to find a nice free windows ftp client that even does s/key, much less scp...
Charles
-- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
On Fri, Jan 05, 2001, Brian W. wrote:
scp for windows is available, see http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
putty is a win ssh client, its free but a little too simple for me. pscp is a windoze scp client which I like. Here's the faq, http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html.
.. which is leading us WAY off topic. * telnet (along with FTP) is not insecure.n itself Perhaps the use or implementations are insecure, but I'm pretty sure I've seen some ssh-related security bugs. * show me a way to break telnet, and I'm sure to find a way to break ssh (yes, those who follow the news will go "but that relies on dumb users!" but I *bet* anyone who runs a decent sized ISP will attest to their users stupidity - or they wouldn't need a helpdesk...) * Yes, the FTP protocol might be ancient, but so is TCP. And yes, TCP has had some overhauls but the basic principle is there, just like in FTP (which if I remember my history correctly was originally designed to work over NCP..) This thread is irrelevant to NANOG. If you want to learn more about it, I suggest you start by buying a book like "Applied Cryptography" - which explains concepts such as trust relationships as well as "cryptography" (and can be used to prove telnet is secure/insecure in situations just as much as ssh is secure/insecure in situations.) *sigh*. Adrian -- Adrian Chadd "Here's five for the cake, and <adrian@creative.net.au> five to buy a clue." - Ryan, Whatever it Takes
On Fri, Jan 05, 2001 at 07:47:17PM -0500, Charles Sprickman wrote:
The nicest point+drool interface for scp I've seen is in Nifty Telnet SSH for the mac. Click the "scp" button, pick files or directories for transfer, and type in the remote path (or leave it blank to plop it all in your homedir).
Let us not forget that sftp exists now, and the commercial SSH for Windows includes it.
On Fri, Jan 05, 2001 at 10:27:59AM -0500, Andrew Brown wrote:
1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
It's more of an ongoing travesty with wu-ftpd and almost as bad with proftpd, and the script kiddies routinely have the exploits for weeks or months before the general population knows about them.
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port assignments.
well...that's not entirely true. you can tunnel the command channel, just not the data channel.
Well, if you use passive mode, you can tunnel the data channel as well. The question is why you would want to do this instead of just using rsync or scp.
3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec. actually...if you use ipsec, you can get the data protected as well.
For sharing files, with anonymous users, HTTP is much better (see: http://files.dnso.net)
for sharing files with anonymous users, i'll always be using anonftp.
Good luck with that. --Adam -- Adam McKenna <adam-sig@flounder.net> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 11:45am up 209 days, 10:03, 9 users, load average: 0.13, 0.08, 0.02
participants (9)
-
Adam McKenna
-
Adrian Chadd
-
Andrew Brown
-
Brian W.
-
Charles Sprickman
-
Roeland Meyer
-
Shawn McMahon
-
Steve Sobol
-
woods@weird.com