Re: FTP Issue
From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 09/17/03
- Next message: Jeff Cochran: "Re: Publishing to IIS 5.0"
- Previous message: Neil Armstrong: "Port 1033 (netinfo) port is open - what's it for and how do I close it?"
- In reply to: Tom Kaminski [MVP]: "Re: FTP Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Sep 2003 17:21:49 GMT
In article <bk9ueu$31m10@kcweb01.netnews.att.com>, "Tom Kaminski [MVP]"
<tomk (A@T) mvps (D.O.T) org> wrote:
>"S. Thomes" <sthomes@newaccess.cc> wrote in message
>news:0e3a01c37d2a$32abe390$a301280a@phx.gbl...
>> am setting up a virtual FTP site on my windows 2000 server.
>> I can get the site just fine using anonymous
>> authentication access, but I need it to prompt users to
>> enter a username and password. I cannot get it to work
>> that way.
>>
>> Any suggestions?
>
>http://www.microsoft.com/windows2000/en/server/iis/
Actually, I think what the OP is looking for is the information that the URL
"ftp://mysite.example.com" explicitly means "log in as anonymous". I
presume that the OP is using IE or some other browser to log on, rather than
an FTP client. I presume this, because with normal FTP clients, it is
visibly obvious that the FTP server _always_ needs a username and password.
[The OP can check this by using the command-line FTP client. Even running
"ftp -n", you cannot do anything until you explicitly supply a username and
correct password]
To log in as any other user, you would need to supply a username in the URL,
as in "ftp://user@mysite.example.com", or the security nightmare version
"ftp://user:password@mysite.example.com".
A wrinkle that may suit the OP entirely is that most browsers will pop up a
dialog box if the user and password combination is rejected by the server,
so you could use a URL that is obviously incorrect. My favourite, because
it suggests the idea of a prompt, is "ftp://?@mysite.example.com". You
might also find that if all you want to query for is the password,
"ftp://user:?@mysite.example.com" will do the job, populating the user name
field with the supplied value, to save a little typing.
Important caveat: this behaviour is _not_ specified by the standard. There
is nothing special about my use of "?", and if your FTP server has a user
called "?", whose password is blank, "ftp://?@mysite.example.com" will log
you in as that user! We're essentially foiling the server into rejecting a
user/password combination, so that the browser will ask for the right info.
This will also log as a failed access attempt. If you have software that
attempts to evade repeated attempts to crack a user's password, it may think
that's what is going on here. I haven't seen this happen in real life, but
it's a risk of using a technique that requires a failed logon as its
premise!
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Next message: Jeff Cochran: "Re: Publishing to IIS 5.0"
- Previous message: Neil Armstrong: "Port 1033 (netinfo) port is open - what's it for and how do I close it?"
- In reply to: Tom Kaminski [MVP]: "Re: FTP Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
