Re: building a server web FTP with apache
From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 10/27/03
- Next message: Jem Berkes: "Re: renattach 1.2.0rc1 - Filter that renames/deletes dangerous email attachments"
- Previous message: Nico Kadel-Garcia: "Re: renattach 1.2.0rc1 - Filter that renames/deletes dangerous email attachments"
- In reply to: Cameron L. Spitzer: "Re: building a server web FTP with apache"
- Next in thread: Gary Petersen: "Re: building a server web FTP with apache"
- Reply: Gary Petersen: "Re: building a server web FTP with apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Oct 2003 21:02:14 -0500
"Cameron L. Spitzer" <spambait@merde.greens.org> wrote in message
news:slrnbpo4dd.t9g.spambait@truffula.sj.ca.us...
> In article <Ptedna64UcD10QqiRVn-jw@comcast.com>, Nico Kadel-Garcia wrote:
> >
> > "g.simon4" <g.simon4@wanadoo.fr> wrote in message
> > news:bn6s82$tm3$1@news-reader5.wanadoo.fr...
> >> I would building a server web FTP secure with apache.
> >> this possible ?
> >> thank you
> >
> > Yes, it is. Immediately discard any use of FTP, and replace it with
SSH/SFTP
> > or even HTTPS enabled WebDAV. FTP's use of unencrypted passwords is a
> > serious security issue for anything that people have to actually log
into.
>
> But what about all my users who have never heard of "SSH/SFTP"?
>
> These are professional Web designers with years of successful
> experience. They use commercial Web authoring tools with names
> like "Adobe Go Live" and "Macromedia Dream Weaver." Those tools
> include built in fully integrated FTP clients which support an
> industry defacto standard enhanced FTP that sends its control
> channel over SSL/TLS or something like it. They get encrypted
> passwords and server certs, but they don't suffer the unneccessary delay
of
> encrypting the data they are uploading to their public Web sites.
> And that active/passive thing doesn't bother them at all, because
> their clients automatically choose the mode that works in their
> environment.
Then use WebDAV, which Adobe GoLive supports. Doesn't "Dream Weaver"? And
better yet, WebDAV deals *correctly* with web sites that have their contents
scattered around multiple locations by aliases in the configuration of the
web server, so that you can put subdirectories of materials in interesting
locations.
> My users *know* about the clear text password problem with the OBSOLETE
form
> of FTP that Nico is talking about, and they consider that problem
> solved, not by SSH2, but by the industry defacto standard enhanced FTP
> that they have been using for years.
If the passwords are in clear text, it's not a secure file transfer method.
If it's not in clear text, it's not FTP and it's not supported by Adobe
GoLive or most other web authoring tools.
> What if I wanted to serve *that* enhanced FTP with open-source tools?
Use WebDAV with SSL. Mind you, Adobe GoLive supported HTTPS access for
WebDAV in version 5.0, then turned it *off* in 6.0. I've been trying to
contact them about this, but their latest support system is rather weird.
It's not enough to have the software legally installed and registered, you
have to read off the last four digits of the registration (which only show
up on your installation media) to get any actual support. Keeping that damn
CD around is sometimes a bit awkward, especially with a traveling laptop,
but they don't really care much.
Hint: they don't much care about supporting simple questions of single
users.
> What if I wanted my open-source enhanced FTP server to accept the
> SSL/TLS logins but refuse the cleartext logins?
You should *NEVER* offer any cleartext login/password attempts, period,
because idiots will accidentally use the clear-text channel instead of the
secure channel and get sniffed. Most SSL or SSH based login approaches allow
you to entirely disable such access:
> According to their Web sites, vsftpd and proftpd don't do it, and
> don't plan to.
> Is there *anything* on Freshmeat that will do it?
>
> (Tried stunnel. Couldn't get it to do FTP. Apparently it doesn't
> have a provision for the data channel thing FTP does.)
Yup. No purely stapled-on-top-of-FTP SSH or SSL wrapper does deal completely
with the dual-channel nature of FTP, which is why FTP should be discarded
for login based access. If you *have* to use FTP, consider every login name
and password for it compromised and rely on other access control to prevent
its abuse.
Sorry if I seem gruff. These are quite old security problems that
well-meaning new admins slam headlong into every year, and wind up
re-learning the same answers.
- Next message: Jem Berkes: "Re: renattach 1.2.0rc1 - Filter that renames/deletes dangerous email attachments"
- Previous message: Nico Kadel-Garcia: "Re: renattach 1.2.0rc1 - Filter that renames/deletes dangerous email attachments"
- In reply to: Cameron L. Spitzer: "Re: building a server web FTP with apache"
- Next in thread: Gary Petersen: "Re: building a server web FTP with apache"
- Reply: Gary Petersen: "Re: building a server web FTP with apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
