From owner-freebsd-stable@FreeBSD.ORG  Thu Jan  5 13:38:40 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E23F61065672
	for <freebsd-stable@freebsd.org>; Thu,  5 Jan 2012 13:38:39 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 6B0818FC16
	for <freebsd-stable@freebsd.org>; Thu,  5 Jan 2012 13:38:39 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	q05DcZa8056900
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-stable@freebsd.org>; Thu, 5 Jan 2012 13:38:35 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk q05DcZa8056900
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1325770715;
	bh=Vp5THkvOkOUHZaQBK7fnwjL2XhYO8Rcr59hFi6fshag=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc;
	b=vjHYvI8ZN7La3CNKDQnmZsutZOn/ELFHcW5ep3jXCGzNtLhqpvXPlzgpzljkkFfFY
	2IRSIOpz0dasW3WQjzpOHPH3o2UyQ7dTAR7zgN8Ewd7TJtA3u4wr0sbyiJGrgfMpb9
	QwIEydQmKsYLU2+Yqu6+KgH4wZhMTFTrjkILzePY=
Message-ID: <4F05A7D5.8000403@infracaninophile.co.uk>
Date: Thu, 05 Jan 2012 13:38:29 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
References: <4F059BEA.3000508@denninger.net>
In-Reply-To: <4F059BEA.3000508@denninger.net>
X-Enigmail-Version: 1.3.4
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigB8988684A4496358E3D783A6"
X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: FTPS Server?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 13:38:40 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB8988684A4496358E3D783A6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 05/01/2012 12:47, Karl Denninger wrote:
> Not SFTP (which is supported by the sshd) but FTPS.... is it supported
> by FreeBSD?

No, not supported in the base system.

> This question may belong on the ports list, but a quick perusal there
> didn't find anything particularly interesting (one possible candidate i=
s
> marked broken)

Several of the ftp daemons in the ports should be capable of running
FTPS.  10 seconds with Google turns up HOWTOs for setting up either
vsftpd or proftpd to provide FTPS support.

However, personally, I'd avoid FTPS.  It suffers from most of the design
flaws of standard FTP[*], particularly as regards passing through
firewalls.  Worse, because the traffic is encrypted, you can't even use
tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient
port numbers by deep packet inspection.  As far as your users are
concerned, just use SFTP.  It behaves exactly like an ordinary FTP
client, but the underlying SSH protocol over the network is way, way
better designed.

	Cheers,

	Matthew

[*] Miserable, archaic and long overdue to be put out of our misery.

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigB8988684A4496358E3D783A6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8Fp9sACgkQ8Mjk52CukIzPTACfTjxnUccuw788AxLzgoFAG2rc
TEAAn0PcPNdeUOk+RioyFvm5rNrSvEuG
=zmJG
-----END PGP SIGNATURE-----

--------------enigB8988684A4496358E3D783A6--