From owner-freebsd-security  Thu Dec  4 07:24:58 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA28738
          for security-outgoing; Thu, 4 Dec 1997 07:24:58 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA28722
          for <security@freebsd.org>; Thu, 4 Dec 1997 07:24:50 -0800 (PST)
          (envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id HAA00633; Thu, 4 Dec 1997 07:24:47 -0800 (PST)
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by passer.osg.gov.bc.ca, id smtpdaarAwa; Thu Dec  4 07:24:43 1997
Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id HAA17752; Thu, 4 Dec 1997 07:24:31 -0800 (PST)
Message-Id: <199712041524.HAA17752@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpd017747; Thu Dec  4 15:24:06 1997
X-Mailer: exmh version 2.0gamma 1/27/96
Reply-to: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
X-Sender: cy
To: Adam Shostack <adam@homeport.org>
cc: jkh@time.cdrom.com (Jordan K. Hubbard), security@freebsd.org
Subject: Re: Possible problem with ftpd 6.00 
In-reply-to: Your message of "Thu, 04 Dec 1997 05:54:35 EST."
             <199712041054.FAA20091@homeport.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 04 Dec 1997 07:24:03 -0800
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> Jordan K. Hubbard wrote:
> | > If you design systems such that people need to RTFM, your systems will
> | > fail.  The FTP daemon should be re-written so that it doesn't ask for
> | > a password when its offering anonymous access.  (As in http).
> | 
> | Which would break the heck out of many traditional FTP clients which
> | expect every user, be it a legit one or an anonymous one, will result
> | in a password being requested by the ftpd and they'll probably fail
> | the handshake with your optimization.
> 
> Nolo contendre.
> 
> 	I've long argued that FTP is brain dead and should be
> replaced.  It has a host of misfeatures (the TCP connection back to
> the client causes uncountable headache for firewall builders, the site
> exec mechanism is just not a good idea, etc).

That's what FTP's passive mode is for.

> 
> 	So please don't read it as a serious suggestion that we change
> the FTP daemon to fix this problem, but as an appeal to not design
> protocols that ask for ID for anonymous connection.
> 
> Adam



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."