Our local CERT-type person mailed me the following and I replied as follows. Could I have given a better answer? > I notice that zope comes with an FTP server which, by default, runs on port > 8021. There's one running on "stingray", as I write, which seems to accept > any and all combinations of usernames/passwords (valid or otherwise), > although *I* don't seem to be able to do/see anything with any of the ones > I've tried. Hmmm. Hadn't noticed that before. Even if you disable the FTP Access permission for the role Manager (as well as Anonymous) it's still the same. But, as you note, you can't do very much. > Anyway, that's an aside. What my question is is "how can this > service be used such that usernames/passwords are transmitted securely?" Don't know. Does SSL (whether Zope is behind Apache or not) only apply to http stuff? My understanding is that Zope incoporates the Medusa server. There is a reference on the Medusa web page (http://www.nightmare.com/medusa/) to "SSL and Medusa with STunnel". An exercise left for the ambitious reader? Meanwhile I observe that if you set a Domains restriction for a particular user (done via the acl_users Folder) it applies to both ftp and http clients (and presumably WebDAV too) - though at first it doesn't seem so via ftp because you can login, but you can't actually do anything (just like Richard reports with any username/password). So, an imperfect answer to your question might be "disallow ftp access from outside our local domain and then keep your fingers crossed". TIA. Paul -- The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK E-mail: [EMAIL PROTECTED] URL: http://www.bris.ac.uk/ _______________________________________________ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )