[prev in list] [next in list] [prev in thread] [next in thread]
List: pureftpd-list
Subject: Re: [pure-ftpd] Secure file transfer
From: Anthony Hocquet <anthony.hocquet () gmail ! com>
Date: 2009-04-21 14:47:56
Message-ID: 6b32980b0904210747q2f37c508q193afae4456b0199 () mail ! gmail ! com
[Download RAW message or body]
Hi,
On Tue, Apr 21, 2009 at 3:57 PM, Frank Denis <j@pureftpd.org> wrote:
> Hello,
>
> Le Tue, Apr 21, 2009 at 03:40:57PM +0200, uhel@gmx.net ecrivait :
> > *Maybe* it will be integrated if someone sends a decent patch to enable
> > a TLS secured data channel.
>
> Good news: someone did send a decent patch to enable a TLS secured data
> channel, and it will get merged tomorrow.
>
That's a really good news! Will there be new options provided to force
encryption through DATA channel, as vsftp offer? Something like :
ForceTLSTransfer=1. That would refuse any attempt to transfer clear binary.
> > Btw. SSL/TLS secured FTP (http://en.wikipedia.org/wiki/FTPS) is
> > something else than sftp
> > (http://en.wikipedia.org/wiki/SSH_file_transfer_protocol)!
>
> Yes, those protocols are totally different. SFTP relies on SSH and can
> intelligently multiplex channels on a single socket.
>
> FTP over SSL/TLS is a horrible hack. Really, FTP was designed a while
> back, when things like NAT didn't even exist. It uses dynamic ports that
> require routers to snoop commands in order to find what ports should be
> forwarded. This is why NATing/firewalling FTP is a nightmare.
> SSL/TLS makes this even more nightmarish. FTP over SSL/TLS was made as a
> quick hack to add a feeling of security over an insecure protocol.
> If you have the choice, really, use SFTP.
>
Yeah I know that's just a trick, but it works quite well, when limiting the
PASV port range. And, SFTP is great, but it requires real user account
instead of virtuals, as far as I know. Furthermore, I like the way we can
configure a FTP server, which is more flexible than a simple SSH server, in
my humble opinion.
Anyway, thanks everyone for your reactivity and help, it's highly
appreciated.
Best regards,
--
Anthony Hocquet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic