From owner-freebsd-questions  Wed Aug 15  0:38:25 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id ABB8937B401; Wed, 15 Aug 2001 00:38:18 -0700 (PDT)
	(envelope-from ru@whale.sunbay.crimea.ua)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f7F7c7x56413;
	Wed, 15 Aug 2001 10:38:07 +0300 (EEST)
	(envelope-from ru)
Date: Wed, 15 Aug 2001 10:38:07 +0300
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Greg Lehey <grog@FreeBSD.ORG>
Cc: Ted Mittelstaedt <tedm@toybox.placo.com>,
	Ryan Thompson <ryan@sasknow.com>,
	William Nunn <yorkie123@hotmail.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: Remotely Exploitable telnetd bug
Message-ID: <20010815103807.D47417@sunbay.com>
References: <20010814171150.S61413@wantadilla.lemis.com> <000201c12547$807d8520$1401a8c0@tedm.placo.com> <20010815144453.U49989@wantadilla.lemis.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010815144453.U49989@wantadilla.lemis.com>; from grog@FreeBSD.ORG on Wed, Aug 15, 2001 at 02:44:53PM +0930
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Aug 15, 2001 at 02:44:53PM +0930, Greg Lehey wrote:
[...]
> >  FTP, POP3 and many other commonly used TCP/IP protocols are
> > inherently insecure using this definition.
> 
> Definitely.  In fact, POP is quite a problem because I don't know of
> any well-known secure alternative.  But those are the individual
> protocols, not TCP and IP.  ssh runs over TCP and IP as well, but it's
> secure, at least by this definition.
> 
POP3 (RFC1725) supports the APOP command, which avoids the transmission
of clear-text passwords over an insecure environment.  Also, various
other authentication schemes are supported, see RFC1734 for details.

There are security extensions exist for FTP, see RFC2228 for details.
lukemftpd (currently in contrib/lukemftpd) is going to support these,
AFAIK.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message