Sorry to pop in on this late in the discussion, but I just now started digging through my mail. I actually spent several days researching various methods of secure file transfer a month or so ago, and wound up deciding on ssl-ftp. Primary decision was because I needed an authentication mechanism besides OS login, and I didn't see anything in the ssh/sftp arena that provided it. I didn't want to create customer accounts in the OS.
> On Mon, Oct 22, 2001 at 11:28:41AM +1100, Christian Mengler wrote: > > Hey, > > I've been looking into FTP encryption for the last few > dayz, I found that > > SSH only encrypts the authentication process, but not the > transfering of > > data. Depends on the version; v1 sftp did this. v2 sftp (f-secure and openssh) are actually encrypting the entire session. Tunneling ftp through ssh will depend on how you configure the tunnel. > Huh? Then why is it when I use SCP to copy files between two machines > on a crossed Ethernet cable, the speed of the copy is > substantially less > than using HTTP or (unencrypted) FTP? I also see SSH > processes on both > boxes consuming non-negligible CPU cycles. Tcpdump also > shows gibberish > where my files should be. The gibberish part is to be expected, since it's encrypted data. The speed issue isn't you alone. I've seen it, as have several others. Not sure why scp sucks so badly in the speed department compared to other transfer methods. > > Although SSL, i read that it encrypts not only the > authentication, but > > also the data. Im not quite sure on what SSL FTP daemons > are out there, > > there is a few for *nix, eg SurgeFTP (www.freshmeat.net), > but im not sure on > > the availability for windows. But its worth a try looking for FTP > > clients/servers supporting SSL :) Yes, ssl-ftp can encrypt the control & data channel; it's not required to do so, but it is allowed per the RFC, and the few ssl-ftp servers I found had it as a configurable option. > If you want a cheaper solution, you can try using Stunnel on > a standard > FTP daemon. It was only by using stunnel I was able to get ncftp to > connect to an SSL-FTP server... I haven't yet seen any standalone > FTP-SSL clients yet, not even for Unix. I'm not sure about unix, but there are at least 2 ssl-ftp clients for Windows - ws-ftpd pro (v7) and CuteFTP Pro. CuteFTP Pro also has support for sftp, http, and https as well. Rather nifty it seemed. As for ssl-ftp servers, I only found one RFC compliant one for Windows; ws-ftp server (www.ipswitch.com). For Unix, there are at least a handful; the one that sticks in mind right now is ProFTPd (open source). One minor detail you need to be aware of with ssl-ftp; because it runs through the normal ftp ports, some firewalls (FW1 & SecureRemote) see the encrypted ftp commands going over the ftp ports, can't parse them because they are encrypted, and then silently drop the packets. This, even when allow-all is configured. If Secure Remote is even running on the client system, you won't be able to get a ssl-ftp connection up until you disable Secure Remote from auto-starting and then reboot the system (yes, I really mean reboot). Pix does work properly once you disable the ftp fixup protocol; I haven't tested with any others. -Chad
