Date: Thu, 4 Dec 1997 10:27:52 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Adam Shostack <adam@homeport.org> Cc: security@FreeBSD.ORG Subject: Re: Possible problem with ftpd 6.00 Message-ID: <Pine.BSF.3.96.971204102221.427H-100000@cyrus.watson.org> In-Reply-To: <199712041054.FAA20091@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 Dec 1997, Adam Shostack wrote: > Nolo contendre. > > I've long argued that FTP is brain dead and should be > replaced. It has a host of misfeatures (the TCP connection back to > the client causes uncountable headache for firewall builders, the site > exec mechanism is just not a good idea, etc). > > So please don't read it as a serious suggestion that we change > the FTP daemon to fix this problem, but as an appeal to not design > protocols that ask for ID for anonymous connection. I think there is a general trend, given SASL, etc, for servers to not be able to accept more information during an Anonymous authentication. However, it is interesting to note that Pine, when making an Anonymous IMAP4 connections, still requires a password from the user. It doesn't matter what you enter, but still seems to want it. (Perhaps this is a function of the CMU Cyrus server, in which case I should go thwack someone here.) Given that an increasing number of FTP clients are now Web Browsers doing anonymous FTP, I think the problem that you point out may be diminishing in effect. A number of GUI clients now just have username/password fields, or a checkbox to make the connection anonymous, in which case it disables those fields. Sounds like a good idea to me. Similarly, ncftp performs an automatic anonymous login unless you specify otherwise. On the other hand, the normal ftp client I would rather not touch in this manner :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971204102221.427H-100000>