Re: FTP logs
From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 07/30/04
- Next message: Jochen Ruhland: "Re: Re: Question regarding certificate mapping"
- Previous message: Paul Lynch: "Re: IIS SSL Problem(DNS Server Error)"
- In reply to: Paul Lynch: "Re: FTP logs"
- Next in thread: Jeff Cochran: "Re: FTP logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jul 2004 18:39:35 GMT
> From: Paul Lynch <paul.lynch@nospam.com>
>
> As an aside, I've always wondered why the FTP service logs a 331 which
> means "User name okay, need password" when someone attempts to log in
> as Anonymous even if anonymous login is disabled on the server ?!?
>
> Maybe if Alun is reading this he can shed some light on this for us...
It's really a matter of personal choice by the developer of the product.
In the general case, a 331 message should be interpreted as meaning "I am
not going to tell you whether that user name is acceptable until you give
me a password, and I can try and authenticate them both", to avoid people
using the response to the USER command as a means of identifying which user
names are valid.
Some might say that the "anonymous" user is special, and pretty much "known
to exist" (but be potentially disabled), and so it's worth telling the
client early when the user is disabled, others would say that the policy of
authenticating user name and password together should apply at all times.
It's not a security issue, though, because it is the anonymous user, which
is known to be special to FTP.
Alun.
~~~~
- Next message: Jochen Ruhland: "Re: Re: Question regarding certificate mapping"
- Previous message: Paul Lynch: "Re: IIS SSL Problem(DNS Server Error)"
- In reply to: Paul Lynch: "Re: FTP logs"
- Next in thread: Jeff Cochran: "Re: FTP logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
