On Fri, 2002-09-20 at 01:59, Jeff Waugh wrote: > <quote who="Tom"> > > > Question One: Do people agree with this? If tomorrow all instances of > > 'ftpd' were magically changed to 'sshd', would we have all the > > functionality we wanted, but with improved security? > > To play devil's advocate for a moment: > > - FTP daemons have been around for a long time, so they've had a lot of > field testing and fixage. See vsftp for a very good daemon under Linux. > > - Whilst your password is in the clear (if you need a password at all), > FTP servers and policies are generally set up with that in mind > > - Chrooted FTP is not hard to set up > > - OpenSSH has been a nice big can of worms for a lot of administrators > over the last few months. It's not the only SSH, but it is the one our > community generally uses > > - Chrooted SSH and policies in general are a bit more complicated -> FTP > is for file transfer, SSH/SCP/SFTP are fairly interwoven and are not > easily administered centrally (consider keys and key policies, allowed > commands, etc). > > So, if I need to transfer a file, I may as well just use FTP if I don't > require encryption for data or authorisation. If I need those, perhaps I > should just use IPSEC or a tunnel, with... FTP on top. > > (That said, I usually prefer HTTP anyway, but hey...) > > - Jeff >
OK, not everyone needs to be 'saved' from ftp. (And the idea of converging to one program is wrong too.) Question: *Who* needs to be 'saved' from the security dangers of running an ftp server? (Is there no problem/danger? Is it just alarmists scaring people?) Apologies for bloviation. --Tom -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
