From owner-freebsd-questions  Tue Feb 12  0:25:53 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141])
	by hub.freebsd.org (Postfix) with ESMTP id 3504537B41C
	for <freebsd-questions@freebsd.org>; Tue, 12 Feb 2002 00:25:48 -0800 (PST)
Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141])
	by topaz.mdcc.cx (Postfix) with ESMTP
	id 319CD2B79B; Tue, 12 Feb 2002 09:23:48 +0100 (CET)
Received: by k7.mavetju.org (Postfix, from userid 1001)
	id E365D222; Tue, 12 Feb 2002 19:23:07 +1100 (EST)
Date: Tue, 12 Feb 2002 19:23:07 +1100
From: Edwin Groothuis <edwin@mavetju.org>
To: Lord Raiden <raiden23@netzero.net>
Cc: freebsd-questions@freebsd.org
Subject: Re: Securing FTP
Message-ID: <20020212192307.I494@k7.mavetju.org>
Mail-Followup-To: Edwin Groothuis <edwin@mavetju.org>,
	Lord Raiden <raiden23@netzero.net>, freebsd-questions@freebsd.org
References: <4.2.0.58.20020212015724.009d9a40@pop.netzero.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <4.2.0.58.20020212015724.009d9a40@pop.netzero.net>; from raiden23@netzero.net on Tue, Feb 12, 2002 at 01:59:44AM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, Feb 12, 2002 at 01:59:44AM -0500, Lord Raiden wrote:
> 	Ok, one more question then I'll stop bugging you guys again.  :)  I was 
> informed recently by a friend of mine that the FTP server daemon we're 
> using on our machines, the FTPD that comes built into FreeBSD is insecure 
> and prone to security problems.

Ask him about details :-)

FTP can be considered insecure because it transmits plain-text
passwords during the authentication handshake. Use a different
authentication method for this then, for example sftp/scp which
authentication handshake is done over an encrypted session.

FTP can be considered insecure because it transmits the data as
plain-text. Same here, use sftp/scp because it transmits its data
over an encrypted session.

But then... what ftp-daemon does he propose for this?

You are talking about members-only ftp. Does it mean that everybody
has access to the machine via a shell? Force them to use scp/sftp
and all the previous objections are gone. But then your members
will complain about the user-friendlyness of scp/sftp and they
insist to have the old ftp back...


So.... ask your "friend" what insecurities and security problems
he knows about the FreeBSD ftpd and report them here. Then people
can look at them and either fix or debunk them.

Edwin

-- 
Edwin Groothuis   |              Personal website: http://www.MavEtJu.org
edwin@mavetju.org |           Interested in MUDs? Visit Fatal Dimensions:
------------------+                       http://www.FatalDimensions.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message