Re: secure FTP clients [was: recommendations for FTP server]
On 21 Jun 2003 10:44:47 +0200, Florent Rougon wrote: Nick Boyce [EMAIL PROTECTED] wrote: http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I see it is: - I load (with Pageant) a key to log as $USER on $HOST - I fire filezilla and make an SFTP connection as $USER to $HOST - when prompted for the password, I just type garbage - the login is successful, meaning FileZilla used the key loaded by Pageant to perform the authentication. Thanks very much for that tip - I've tried this, and it works for me too. I guess the FileZilla people will be making this nicer when they get the time. Nick Boyce Bristol, UK -- Remember: If brute force doesn't work, you're just not using enough. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure FTP clients [was: recommendations for FTP server]
On 21 Jun 2003 10:44:47 +0200, Florent Rougon wrote: Nick Boyce [EMAIL PROTECTED] wrote: http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I see it is: - I load (with Pageant) a key to log as $USER on $HOST - I fire filezilla and make an SFTP connection as $USER to $HOST - when prompted for the password, I just type garbage - the login is successful, meaning FileZilla used the key loaded by Pageant to perform the authentication. Thanks very much for that tip - I've tried this, and it works for me too. I guess the FileZilla people will be making this nicer when they get the time. Nick Boyce Bristol, UK -- Remember: If brute force doesn't work, you're just not using enough.
Re: recommendations for FTP server
Why not try rssh? http://packages.debian.org/unstable/net/rssh.html works well with filezilla. Jonathan * John Wright [EMAIL PROTECTED] [2003-06-20 16:17]: Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jonathan Chen Master Candidate, Computer Sciences University of Texas at Austin http://www.cs.utexas.edu/users/ccchen/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri Jun 20, 2003 at 11:37:12PM +0200, Dariush Pietrzak wrote: The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport That's not true. Try this one: $ apt-cache search ftp ssl curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. ftp-ssl - The FTP client with SSL encryption support. ftpd-ssl - FTP server with SSL encryption support. gnus - A versatile News and mailing list reader for Emacsen octave2.0 - The GNU Octave language for numerical computations octave2.1 - The GNU Octave language for numerical computations (2.1 branch) sitecopy - A program for managing a WWW site via FTP, DAV or HTTP xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME version) libwww-ssl-dev - The W3C WWW library - development files (SSL support) libwww-ssl0 - The W3C-WWW library (SSL support) libssl09 - SSL shared libraries (old version) libssl095a - SSL shared libraries (old version) lynx-ssl - Text-mode WWW Browser supporting SSL At least ftp-ssl does support it. I didn't check the others (there are enough false positives ;-). So long Thomas -- .''`. Obviously we do not want to leave zombies around. - W. R. Stevens : :' : Thomas Krennwallner djmaecki at ull dot at `. `'` 1024D/67A1DA7B 9484 D99D 2E1E 4E02 5446 DAD9 FF58 4E59 67A1 DA7B `-http://bigfish.ull.at/~djmaecki/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
That's not true. Try this one: $ apt-cache search ftp ssl curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. that's not it. ftp-ssl - The FTP client with SSL encryption support. Ok, this one works, i forgot about it because it's way to plain to really recommend to someone. It's like resume and sftp/scp - you can show someone how to do it using dd, but what they really need is client in which you can just tap 'reget file' and it works. Psftp works like that, nothing i've seen in woody does. gnus - A versatile News and mailing list reader for Emacsen octave2.0 - The GNU Octave language for numerical computations octave2.1 - The GNU Octave language for numerical computations (2.1 branch) sitecopy - A program for managing a WWW site via FTP, DAV or HTTP xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME version) libwww-ssl-dev - The W3C WWW library - development files (SSL support) libwww-ssl0 - The W3C-WWW library (SSL support) libssl09 - SSL shared libraries (old version) libssl095a - SSL shared libraries (old version) lynx-ssl - Text-mode WWW Browser supporting SSL all the rest are false positives. -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure FTP clients [was: recommendations for FTP server]
Nick Boyce [EMAIL PROTECTED] wrote: Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I see it is: - I load (with Pageant) a key to log as $USER on $HOST - I fire filezilla and make an SFTP connection as $USER to $HOST - when prompted for the password, I just type garbage - the login is successful, meaning FileZilla used the key loaded by Pageant to perform the authentication. Seems nice and stable to me. Agreed. A nice free-as-in-speech software for Windows. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
FileZilla ( http://sourceforge.net/projects/filezilla/ ) is a great FTP client for Windows that support SSL.. Quoting [EMAIL PROTECTED]: From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Quoting Marcus Frings ([EMAIL PROTECTED]): Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Hey, thanks, Marcus! That file reflects (and disclaims) my prejudice that anonymous ftp remains A Good Thing (see: http://linuxmafia.com/~rick/linux-info/ftp-justification), and that either scp or ftp-ssl (or, I guess, sftp) is perfectly adequate for non-anonymous file transfers. OS coverage for scp is basically universal: http://linuxmafia.com/pub/linux/security/ssh-clients Of course, no doubt some people will whine about scp not doing file-browsing. Some front-ends can kludge that capability anyway (SecPanel, KSSH, KDESSH, ssh-gui, and GPuTTY for X11/*ix, Fugu for Mac OS X / Cocoa, FileZilla and Secure iXplorer for Win32) -- or you can try ftp-ssl or sftp. Don't forget, too, about the FISH protocol, as implemented in Midnight Commander, KD3 3.1's kio_fish plugin, and lftp (ftp-like browsing over generic SSH transport). http://linuxmafia.com/~rick/linux-info/fish-protocol -- Cheers, First they came for the verbs, and I said nothing, for Rick Moenverbing weirds language. Then, they arrival for the nouns [EMAIL PROTECTED] and I speech nothing, for I no verbs. - Peter Ellis
Re: recommendations for FTP server
Why not try rssh? http://packages.debian.org/unstable/net/rssh.html works well with filezilla. Jonathan * John Wright [EMAIL PROTECTED] [2003-06-20 16:17]: Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jonathan Chen Master Candidate, Computer Sciences University of Texas at Austin http://www.cs.utexas.edu/users/ccchen/
Re: recommendations for FTP server
On Fri Jun 20, 2003 at 11:37:12PM +0200, Dariush Pietrzak wrote: The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport That's not true. Try this one: $ apt-cache search ftp ssl curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. ftp-ssl - The FTP client with SSL encryption support. ftpd-ssl - FTP server with SSL encryption support. gnus - A versatile News and mailing list reader for Emacsen octave2.0 - The GNU Octave language for numerical computations octave2.1 - The GNU Octave language for numerical computations (2.1 branch) sitecopy - A program for managing a WWW site via FTP, DAV or HTTP xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME version) libwww-ssl-dev - The W3C WWW library - development files (SSL support) libwww-ssl0 - The W3C-WWW library (SSL support) libssl09 - SSL shared libraries (old version) libssl095a - SSL shared libraries (old version) lynx-ssl - Text-mode WWW Browser supporting SSL At least ftp-ssl does support it. I didn't check the others (there are enough false positives ;-). So long Thomas -- .''`. Obviously we do not want to leave zombies around. - W. R. Stevens : :' : Thomas Krennwallner djmaecki at ull dot at `. `'` 1024D/67A1DA7B 9484 D99D 2E1E 4E02 5446 DAD9 FF58 4E59 67A1 DA7B `-http://bigfish.ull.at/~djmaecki/
Re: recommendations for FTP server
That's not true. Try this one: $ apt-cache search ftp ssl curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. that's not it. ftp-ssl - The FTP client with SSL encryption support. Ok, this one works, i forgot about it because it's way to plain to really recommend to someone. It's like resume and sftp/scp - you can show someone how to do it using dd, but what they really need is client in which you can just tap 'reget file' and it works. Psftp works like that, nothing i've seen in woody does. gnus - A versatile News and mailing list reader for Emacsen octave2.0 - The GNU Octave language for numerical computations octave2.1 - The GNU Octave language for numerical computations (2.1 branch) sitecopy - A program for managing a WWW site via FTP, DAV or HTTP xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME version) libwww-ssl-dev - The W3C WWW library - development files (SSL support) libwww-ssl0 - The W3C-WWW library (SSL support) libssl09 - SSL shared libraries (old version) libssl095a - SSL shared libraries (old version) lynx-ssl - Text-mode WWW Browser supporting SSL all the rest are false positives. -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: secure FTP clients [was: recommendations for FTP server]
Nick Boyce [EMAIL PROTECTED] wrote: Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. The way I see it is: - I load (with Pageant) a key to log as $USER on $HOST - I fire filezilla and make an SFTP connection as $USER to $HOST - when prompted for the password, I just type garbage - the login is successful, meaning FileZilla used the key loaded by Pageant to perform the authentication. Seems nice and stable to me. Agreed. A nice free-as-in-speech software for Windows. -- Florent
Re: recommendations for FTP server (fwd)
FileZilla ( http://sourceforge.net/projects/filezilla/ ) is a great FTP client for Windows that support SSL.. Quoting [EMAIL PROTECTED]: From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
recommendations for FTP server
Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Stephen Gran [EMAIL PROTECTED] writes: I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Hope this helps. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Stephen Gran [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Fri, 20 Jun 2003 18:37:43 + If security is a concern, you might want to use SecureFTP instead. It is part of the OpenSSH package. The sftp client is a part of most Linux and BSD (including MacOS X) distros and there are also sftp clients for MacIntosh http://ca.huji.ac.il/services/internet/ssh/macsftp.shtml and Windows http://www.chiark.greenend.org.uk/~sgtatham/putty/ . Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Stephen Gran sent the following message Today: SG Hello all, SG SG I'd like the FTP server to not allow anonymous logins (which I assume SG most can do), chroot users to their home directories, and have some sort SG of encrypted connections (over SSL would be nice). I have thought about SG just using sftp, but currently ssh connections are rerouted to another SG box on the LAN, and I'd like to leave that set up as is, if possible. SG SG I see that proftpd is the example used in the 'securing Debian' manual, SG but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't SG appear to do chroot'ing, at least not at a quick glance. Anybody know SG of one that combines these features? I suppose there is always stunnel, SG although I have never tried to use it for FTP. Install SSH and give your friends shell accounts. SFTP is a drop-in replacement for FTP. Generally, I never use FTP except to make anonymous downloads available. There have been too many problems with many FTP servers in the past. Adding SSL to a standard FTP session also presents the problem that many standard FTP clients (at least on Windows) do not support this configuration. -- Chris Caldwell Information Systems Coordinator, Enterprise Systems Information Systems and Services, The George Washington University caldwell @ gwu . edu | +1 202.994.4674 (w) | +1 202.409.0878 (c) http://asclepius.tops.gwu.edu | GPG key ID: 0xE52D0BE8 Formal education can rarely improve the character of a scoundrel. - Derek Bok, Harvard University -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: recommendations for FTP server
Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
This one time, at band camp, Matt Zimmerman said: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Thanks all, -- -- | Stephen Gran | Neglect of duty does not cease, by | | [EMAIL PROTECTED] | repetition, to be neglect of duty. -- | | http://www.lobefin.net/~steve | Napoleon| -- pgp0.pgp Description: PGP signature
Re: recommendations for FTP server
* Stephen Gran [EMAIL PROTECTED] wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Regards, Marcus -- Tuba cum sonuerit dies erit extrema et iudex advenerit vocabit sempiterna electos in patria prescitos ad inferna. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. I'd suggest pointing them at WinSCP: http://winscp.com for a pointy-clicky scp/sftp client for Win32, and Fugu: http://rsug.itd.umich.edu/software/fugu/ for an OS X client, both of which are free and source available (fugu under a BSD-style licence, WinSCP under a similar licence to puTTY). Hope this helps, David -- C Nonsense in BASIC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 20 Jun 2003 16:25:30 -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: [...] Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. Seems nice and stable to me. Nick Boyce Bristol, UK -- Microsoft may provide updates that will be automatically downloaded onto your computer. These updates may disable your ability to copy and/or play content and use other software on your computer. -- http://bsdvault.net/article.php?sid=527mode=order=0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
Quoting Marcus Frings ([EMAIL PROTECTED]): Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Hey, thanks, Marcus! That file reflects (and disclaims) my prejudice that anonymous ftp remains A Good Thing (see: http://linuxmafia.com/~rick/linux-info/ftp-justification), and that either scp or ftp-ssl (or, I guess, sftp) is perfectly adequate for non-anonymous file transfers. OS coverage for scp is basically universal: http://linuxmafia.com/pub/linux/security/ssh-clients Of course, no doubt some people will whine about scp not doing file-browsing. Some front-ends can kludge that capability anyway (SecPanel, KSSH, KDESSH, ssh-gui, and GPuTTY for X11/*ix, Fugu for Mac OS X / Cocoa, FileZilla and Secure iXplorer for Win32) -- or you can try ftp-ssl or sftp. Don't forget, too, about the FISH protocol, as implemented in Midnight Commander, KD3 3.1's kio_fish plugin, and lftp (ftp-like browsing over generic SSH transport). http://linuxmafia.com/~rick/linux-info/fish-protocol -- Cheers, First they came for the verbs, and I said nothing, for Rick Moenverbing weirds language. Then, they arrival for the nouns [EMAIL PROTECTED] and I speech nothing, for I no verbs. - Peter Ellis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
recommendations for FTP server
Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | -- pgpXnWLOAvb39.pgp Description: PGP signature
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. -- - mdz
Re: recommendations for FTP server
Stephen Gran [EMAIL PROTECTED] writes: I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services
Re: recommendations for FTP server
Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Hope this helps.
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Stephen Gran [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Fri, 20 Jun 2003 18:37:43 + If security is a concern, you might want to use SecureFTP instead. It is part of the OpenSSH package. The sftp client is a part of most Linux and BSD (including MacOS X) distros and there are also sftp clients for MacIntosh http://ca.huji.ac.il/services/internet/ssh/macsftp.shtml and Windows http://www.chiark.greenend.org.uk/~sgtatham/putty/ . Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes| | http://www.lobefin.net/~steve | | --
RE: recommendations for FTP server
Have you thought about running sftp on a nonstandard port? John Wright Manager of Departmental Computing Radio/TV Services Indiana University 1229 E. Seventh Street, room 284 Radio-TV Center Bloomington, Indiana 47405 Phone: 812-855-8076 Fax: 812-855-0729 [EMAIL PROTECTED] -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 11:56 AM To: Debian Security Subject: recommendations for FTP server Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? -- -- | Stephen Gran | The proof of the pudding is in the | | [EMAIL PROTECTED] | eating. -- Miguel de Cervantes | | http://www.lobefin.net/~steve | | --
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: Hello all, I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 02:24:22PM -0400, Matt Zimmerman wrote: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. I went against running an FTP server for my users and went for using SFTP (part of sshd). For users who just have a standard web package (so they have no shell access) I give them a shell called 'scponly-c', from the package scponly which can be found at http://www.sublimation.org/scponly/ So they can only use SFTP and/or scp to upload files, no shell access. They are also chroot'ed to their home directory for a bit of added security. I haven't had any reported problems. You need to provide the programs they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden [EMAIL PROTECTED] : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgplusA9qMc0n.pgp Description: PGP signature
Re: recommendations for FTP server
This one time, at band camp, Matt Zimmerman said: On Fri, Jun 20, 2003 at 12:56:01PM -0400, Stephen Gran wrote: I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Thanks all, -- -- | Stephen Gran | Neglect of duty does not cease, by | | [EMAIL PROTECTED] | repetition, to be neglect of duty. -- | | http://www.lobefin.net/~steve | Napoleon| -- pgp5BXCQteqB4.pgp Description: PGP signature
Re: recommendations for FTP server
* Stephen Gran [EMAIL PROTECTED] wrote: I am thinking about setting up an FTP server to be used by myself and a couple of friends. The box it will be running on is basically stock Woody, and is currently only running apache and NAT'ing for a LAN. I'd like the FTP server to not allow anonymous logins (which I assume most can do), chroot users to their home directories, and have some sort of encrypted connections (over SSL would be nice). I have thought about just using sftp, but currently ssh connections are rerouted to another box on the LAN, and I'd like to leave that set up as is, if possible. I see that proftpd is the example used in the 'securing Debian' manual, but it doesn't appear to be able to use SSL. OTOH, ftpd-ssl doesn't appear to do chroot'ing, at least not at a quick glance. Anybody know of one that combines these features? I suppose there is always stunnel, although I have never tried to use it for FTP. Any recommendations, experiences, thoughts? Maybe http://www.linuxmafia.com/pub/linux/security/ftp-daemons will help you to make a good decision. Regards, Marcus -- Tuba cum sonuerit dies erit extrema et iudex advenerit vocabit sempiterna electos in patria prescitos ad inferna.
Re: recommendations for FTP server
Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: recommendations for FTP server
On Fri, Jun 20, 2003 at 07:39:28PM +0100, Ian Goodall wrote: Any recommendations, experiences, thoughts? Running ftp over a vpn would work but its not the easiest option. Sftp is exactly what you need. Why not just run it on another port? Last I checked, sftp requires a patch to chroot, though. xn
Re: recommendations for FTP server
* Stephen Gran ([EMAIL PROTECTED]) [030621 01:05]: Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. What about webdav, http://www.webdav.org/? This is a filesystem over http(s). Using it as client with Linux is quite easy, and also MS-Users can connect quite easily from a Windows box using standard microsoft tools (i.e. Explorer). I'm using it instead of non-anonymous ftp, and I'm quite happy. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: recommendations for FTP server
You could run sshd on another port. Really, if you want encryption and no anonymous connections, sftp is the right tool for the job. Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. I'd suggest pointing them at WinSCP: http://winscp.com for a pointy-clicky scp/sftp client for Win32, and Fugu: http://rsug.itd.umich.edu/software/fugu/ for an OS X client, both of which are free and source available (fugu under a BSD-style licence, WinSCP under a similar licence to puTTY). Hope this helps, David -- C Nonsense in BASIC
Re: recommendations for FTP server (fwd)
From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 20 Jun 2003 16:25:30 -0400, Stephen Gran wrote: This one time, at band camp, Matt Zimmerman said: [...] Yeah, that's what I have been thinking. I was sort of hoping there was something else out there that did all this besides sftp, because several of my friends will be connecting from Windoze boxes. I guess I'll just point them to PuTTy and friends. Don't forget FileZilla http://filezilla.sourceforge.net/ GUI Win32 client that does FTP, FTP over SSL, and SFTP. Apparently has some integration with PuTTY,though I can't currently figure out how to get FileZilla to use my PuTTY keystore. Seems nice and stable to me. Nick Boyce Bristol, UK -- Microsoft may provide updates that will be automatically downloaded onto your computer. These updates may disable your ability to copy and/or play content and use other software on your computer. -- http://bsdvault.net/article.php?sid=527mode=order=0