Just wanted to address the comment made by Niklas that a password should always be required:
Just reading back the RFC 4217, and found this: Note 2: The PASS command might not be required at all (if the USER parameter and any client identity presented provide sufficient authentication). The server would indicate this by issuing a '232' reply to the USER command instead of the '331', which requests a PASS from the client (see below). So, it looks like we now do have a standard. Sai Pullabhotla On Wed, Apr 6, 2011 at 4:14 PM, Niklas Gustavsson <nik...@protocol7.com> wrote: > On Wed, Apr 6, 2011 at 6:22 PM, Sai Pullabhotla > <sai.pullabho...@jmethods.com> wrote: >> Thanks, Niklas. Unfortunately we cannot control the clients. We were >> told that the client's are built to never send PASS command and expect >> either a 2XX reply on the USER command or 5XX reply. In other words, >> the server should perform the authentication soon after it receives >> the USER command (if the client was authenticated with digital >> certificates), and send a "230 logged in". If the client was not >> authenticated with digital certificate, then we need to fall back to >> the regular mode, and send a "331 password required" reply. > > Given FTP always requires the PASS command, even for anon users, I > find this client behavior a bit weird. > >> I guess, I will see if I can poke holes into the code and see if I can >> get it to work. Would you be willing to consider this as an >> enhancement and like to have the code submitted? > > Let's have a look at it when you're done :-) > > /niklas >
