1) many versions of FTP make you system vulnerable to root cracks.
2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port
assignments.
3) FTP logins are plain-text.
For sharing files, with anonymous users, HTTP is much better (see: http://files.dnso.net)
>1) many versions of FTP make you system vulnerable to root cracks.
...which are problems that need to be fixed. if you know of any...
It's more of an ongoing travesty with wu-ftpd and almost as bad with proftpd,
and the script kiddies routinely have the exploits for weeks or months before
the general population knows about them.
>2) There is NO way to run FTP in a SSH tunnel because it uses dynamic port
>assignments.
well...that's not entirely true. you can tunnel the command channel,
just not the data channel.
Well, if you use passive mode, you can tunnel the data channel as well. The
question is why you would want to do this instead of just using rsync or scp.
>3) FTP logins are plain-text.
sure, which is why you tunnel them via ssh, or use ipsec.
actually...if you use ipsec, you can get the data protected as well.
>For sharing files, with anonymous users, HTTP is much better (see:
>http://files.dnso.net)
for sharing files with anonymous users, i'll always be using anonftp.
But it requires an active shell account on both ends.
Ain't no way I'm granting shell access to anyone who doesn't specifically
ask for it. Actually, I'm picky about granting it even to people who DO
ask for it.
Indeed! I don't know what could be any easier. FTP is terribly arcane!
But it requires an active shell account on both ends.
With the basic configuration that's true -- but SSH can be configured in
such a way that only one "command" can be run, and with a minor patch to
sshd it's possible to set up file transfers only and to not ever allow
general shell access. I've done this with rsync so people can update
their web sites on production machines while having FTP access only on a
less important system, and with a wee bit of innovation it'll work for
plain scp too.
ftp's not *that* arcane, what with the number of point-n-drool
interfaces for it out there (not excluding netscape).
scp is arcane for anyone who has not had a unix account long enough to
discover it (and/or rcp, if it was or still is enabled when they got
there).
The nicest point+drool interface for scp I've seen is in Nifty Telnet SSH
for the mac. Click the "scp" button, pick files or directories for
transfer, and type in the remote path (or leave it blank to plop it all in
your homedir).
Has anyone seen such a beast for windows users?
Also Greg (woods@weird.com) mentioned something about setting up sshd to
allow users (such as webhosting customers) to transfer stuff via scp
without granting shell access. That would be most handy in combination
with a decent windows scp client.
What I really don't get is why all the telnet/ssh combos have support for
file transfers, but it's next to impossible to find a nice free windows
ftp client that even does s/key, much less scp...
* telnet (along with FTP) is not insecure.n itself Perhaps the use or
implementations are insecure, but I'm pretty sure I've seen some
ssh-related security bugs.
* show me a way to break telnet, and I'm sure to find a way to break ssh
(yes, those who follow the news will go "but that relies on dumb users!"
but I *bet* anyone who runs a decent sized ISP will attest to their
users stupidity - or they wouldn't need a helpdesk...)
* Yes, the FTP protocol might be ancient, but so is TCP. And yes, TCP
has had some overhauls but the basic principle is there, just like
in FTP (which if I remember my history correctly was originally
designed to work over NCP..)
This thread is irrelevant to NANOG. If you want to learn more about it,
I suggest you start by buying a book like "Applied Cryptography" -
which explains concepts such as trust relationships as well as
"cryptography" (and can be used to prove telnet is secure/insecure in
situations just as much as ssh is secure/insecure in situations.)