From owner-freebsd-stable@FreeBSD.ORG Thu Jan 5 14:09:45 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F615106564A for ; Thu, 5 Jan 2012 14:09:45 +0000 (UTC) (envelope-from karl@denninger.net) Received: from FS.denninger.net (wsip-70-169-168-7.pn.at.cox.net [70.169.168.7]) by mx1.freebsd.org (Postfix) with ESMTP id BA4598FC1D for ; Thu, 5 Jan 2012 14:09:44 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by FS.denninger.net (8.14.4/8.13.1) with ESMTP id q05E9iKv047126 for ; Thu, 5 Jan 2012 08:09:44 -0600 (CST) (envelope-from karl@denninger.net) Received: from [127.0.0.1] [192.168.1.40] by Spamblock-sys (LOCAL); Thu Jan 5 08:09:44 2012 Message-ID: <4F05AF28.5010900@denninger.net> Date: Thu, 05 Jan 2012 08:09:44 -0600 From: Karl Denninger User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Matthew Seaman References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> In-Reply-To: <4F05A7D5.8000403@infracaninophile.co.uk> X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 120105-0, 01/05/2012), Outbound message X-Antivirus-Status: Clean Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 14:09:45 -0000 On 1/5/2012 7:38 AM, Matthew Seaman wrote: > On 05/01/2012 12:47, Karl Denninger wrote: >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported >> by FreeBSD? > No, not supported in the base system. > >> This question may belong on the ports list, but a quick perusal there >> didn't find anything particularly interesting (one possible candidate is >> marked broken) > Several of the ftp daemons in the ports should be capable of running > FTPS. 10 seconds with Google turns up HOWTOs for setting up either > vsftpd or proftpd to provide FTPS support. > > However, personally, I'd avoid FTPS. It suffers from most of the design > flaws of standard FTP[*], particularly as regards passing through > firewalls. Worse, because the traffic is encrypted, you can't even use > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient > port numbers by deep packet inspection. As far as your users are > concerned, just use SFTP. It behaves exactly like an ordinary FTP > client, but the underlying SSH protocol over the network is way, way > better designed. > > Cheers, > > Matthew > > [*] Miserable, archaic and long overdue to be put out of our misery. Yes, I understand all the arguments against, but I have an EyeFi card here (SD card with a built in Wifi transmitter for use in cameras) that does not know how to deal with SFTP. So if I want to do anything other than transfer to a Windows machine (barf!) I am stuck with either FTP (no encryption at all and subject to be picked off via trivial means while the data is in flight) or FTPS (which has its own set of issues.) The ability to immediately get images shot in the field out of the camera and onto stable storage via a Wifi hotspot running on the phone in my pocket looks really good, but I'll be damned if I'm going to base that on a Windows machine. I understand that ftps bites but.... -- Karl