On Thu, 2002-11-14 at 14:18, David Davis (CS) wrote: > I am trying to create an ideal secure file transfer solution using > open-source software. Everybody knows FTP is insecure, but what can replace > it? > > The desired features include: able to 'chroot' users into their home > directories when they log in, ability to use existing versions of client > software (access ftp site from a browser, ws_ftp, etc.), encrypted > transmission of data and commands. > > Briefly, this is what I have found regarding the server-side setup: > > 1. FTP is good for creating chroot jails for users, but uses unencrypted > channels, exposing commands (e.g, username/password) and data. >
Right, this is just a bad idea. Recently been fighting with the boss about not using regular ftp on our servers. > 2. FTP over an SSH tunnel encrypts the command channel, but leaves the data > unencrypted. > This is good when data protection isn't an issue and you want to use any ftp client. > 3. SFTP encrypts both the command and data channels, but chroot jails are > only available with the commercial version of ssh (ssh.com). This also > requires a client/user to install software on their PC with which they might > not already be familiar. > I like this method and ws_ftp(at least newer versions) has sftp support built in. It isn't only available via the commercial version. I just did a quick Google search and the first link, http://mail.incredimail.com/howto/openssh/ talks about a chroot patch for openssh and how to get it working. Here is another document that talks about chrooted sftp, http://chrootssh.sourceforge.net/docs/chrootedsftp.html and the main url for it, http://chrootssh.sourceforge.net/ Personally I just use scp. > 4. Implicit or Explicit FTP over SSL will encrypt both the data and command > channels and can be implemented using Glub Tech's Secure FTP Wrapper > (http://www.glub.com/products/ftpswrap/). This option looks a bit pricey, > but sounds like the best solution so far. > > QUESTION: Does anybody have a better solution than #4? > > If you really want a SSL ftp server check out, http://bsdftpd-ssl.sc.ru/ Here is a list of ftp servers and descriptions, including more than one that does ssl, http://www.linuxmafia.com/pub/linux/security/ftp-daemons _______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://www.rlug.org/mailman/listinfo/rlug
