With FTP ... just say "no!".
1) many versions of FTP make you system vulnerable to root cracks.
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port
assignments.
3) FTP logins are plain-text.
For sharing files, with anonymous users, HTTP is much better (see:
http://files.dnso.net)
1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port
assignments.
well...that's not entirely true. you can tunnel the command channel,
just not the data channel.
3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec.
actually...if you use ipsec, you can get the data protected as well.
For sharing files, with anonymous users, HTTP is much better (see:
http://files.dnso.net)
for sharing files with anonymous users, i'll always be using anonftp.
scp is also a possibility, its usage is a bit cryptic, but it is an
option..
Brian
>1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
It's more of an ongoing travesty with wu-ftpd and almost as bad with proftpd,
and the script kiddies routinely have the exploits for weeks or months before
the general population knows about them.
>2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port
>assignments.well...that's not entirely true. you can tunnel the command channel,
just not the data channel.
Well, if you use passive mode, you can tunnel the data channel as well. The
question is why you would want to do this instead of just using rsync or scp.
>3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec.
actually...if you use ipsec, you can get the data protected as well.>For sharing files, with anonymous users, HTTP is much better (see:
>http://files.dnso.net)for sharing files with anonymous users, i'll always be using anonftp.
Good luck with that.
--Adam
"Brian W." wrote:
scp is also a possibility, its usage is a bit cryptic, but it is an
option..
SCP works well, and actually, the usage isn't that hard to figure out:
scp user@host:/path/to/file user@host:/path/to/file
But it requires an active shell account on both ends.
Ain't no way I'm granting shell access to anyone who doesn't specifically
ask for it. Actually, I'm picky about granting it even to people who DO
ask for it.
[ On Friday, January 5, 2001 at 15:34:59 (-0500), Steve Sobol wrote: ]
Subject: Re: FTP with authentication to RADIUS
SCP works well, and actually, the usage isn't that hard to figure out:
scp user@host:/path/to/file user@host:/path/to/file
Indeed! I don't know what could be any easier. FTP is terribly arcane!
But it requires an active shell account on both ends.
With the basic configuration that's true -- but SSH can be configured in
such a way that only one "command" can be run, and with a minor patch to
sshd it's possible to set up file transfers only and to not ever allow
general shell access. I've done this with rsync so people can update
their web sites on production machines while having FTP access only on a
less important system, and with a wee bit of innovation it'll work for
plain scp too.
SCP works well, and actually, the usage isn't that hard to figure out:
scp user@host:/path/to/file user@host:/path/to/file
Indeed! I don't know what could be any easier. FTP is terribly arcane!
ftp's not *that* arcane, what with the number of point-n-drool
interfaces for it out there (not excluding netscape).
scp is arcane for anyone who has not had a unix account long enough to
discover it (and/or rcp, if it was or still is enabled when they got
there).
ftp's not *that* arcane, what with the number of point-n-drool
interfaces for it out there (not excluding netscape).scp is arcane for anyone who has not had a unix account long enough to
discover it (and/or rcp, if it was or still is enabled when they got
there).
The nicest point+drool interface for scp I've seen is in Nifty Telnet SSH
for the mac. Click the "scp" button, pick files or directories for
transfer, and type in the remote path (or leave it blank to plop it all in
your homedir).
Has anyone seen such a beast for windows users?
Also Greg (woods@weird.com) mentioned something about setting up sshd to
allow users (such as webhosting customers) to transfer stuff via scp
without granting shell access. That would be most handy in combination
with a decent windows scp client.
What I really don't get is why all the telnet/ssh combos have support for
file transfers, but it's next to impossible to find a nice free windows
ftp client that even does s/key, much less scp...
Charles
scp for windows is available, see
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
putty is a win ssh client, its free but a little too simple for me.
pscp is a windoze scp client which I like. Here's the faq,
http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html.
Bri
.. which is leading us WAY off topic.
* telnet (along with FTP) is not insecure.n itself Perhaps the use or
implementations are insecure, but I'm pretty sure I've seen some
ssh-related security bugs.
* show me a way to break telnet, and I'm sure to find a way to break ssh
(yes, those who follow the news will go "but that relies on dumb users!"
but I *bet* anyone who runs a decent sized ISP will attest to their
users stupidity - or they wouldn't need a helpdesk...)
* Yes, the FTP protocol might be ancient, but so is TCP. And yes, TCP
has had some overhauls but the basic principle is there, just like
in FTP (which if I remember my history correctly was originally
designed to work over NCP..)
This thread is irrelevant to NANOG. If you want to learn more about it,
I suggest you start by buying a book like "Applied Cryptography" -
which explains concepts such as trust relationships as well as
"cryptography" (and can be used to prove telnet is secure/insecure in
situations just as much as ssh is secure/insecure in situations.)
*sigh*.
Adrian
Let us not forget that sftp exists now, and the commercial SSH for Windows
includes it.