Date: Thu, 12 Apr 2012 11:00:10 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: FTP oddness, over SSH session. Message-ID: <4F86A7AA.2040409@infracaninophile.co.uk> In-Reply-To: <F15CA3E7-AF6A-4077-9092-C7E8E2B4B3FD@esiee.fr> References: <4F857029.25481.F2968A@dave.g8kbv.demon.co.uk> <201204111454.54957.jmc-freebsd2@milibyte.co.uk> <4F866DE0.14587.F46D1@dave.g8kbv.demon.co.uk> <87obqx2yo5.fsf@Shanna.FStaals.net> <F15CA3E7-AF6A-4077-9092-C7E8E2B4B3FD@esiee.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD25BA809F515079ED2D899F9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/04/2012 10:28, Frank Bonnet wrote:
> why not ftp over TLS ? like proftpd or pure-ftpd can do ?
Because it is pretty much impossible to firewall securely. Either you
don't encrypt the control channel or you have to give any firewalls
between you and your destination keys to be able to decrypt the traffic
(in which case you might just as well not bother encrypting it at all)
or you have to open up a whole load of ports to accept incoming traffic
('you' being typically the FTP server admin for PASV mode FTP;
otherwise, you'ld need to do similarly on the client for active mode
FTP.) FTP is fundamentally broken and simply encasing it in a layer of
encryption only exacerbates the fundamental flaws.
The FTP protocol is an archaic remnant of some mythical golden age of
the internet when you could generally trust anyone else with access to
the net[*]. Given what the past 40 years or so have shown us about the
realities of global networking, it is high time that it was obsoleted
and the world switched to some of the many better alternatives that have
since been developed.
* HTTP -- obviously works fine for download. It can support upload
too: there's a little-used PUT command, or you can use such things
as WEBDAV. Easy to run over TLS by using HTTPS.
* RSYNC -- has an anonymous mode which works fine for generic
downloads. For authenticated access defaults to ssh(1) for all
traffic.
* SFTP or SCP -- for those who are unwilling or unable to
contemplate using anything other than an FTP client, SFTP will
pose as one, while still properly securing all your traffic. SCP
is (IMHO) a nicer interface for general day-to-day copying stuff
between machines though.
Cheers,
Matthew
[*] Believe it or not, at one time it was generally accepted that mail
servers should be configured as open relays. This was so that if your
own mailserver was playing up, you could easily borrow a neighbours
server to send messages. Then spam was invented.
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enigD25BA809F515079ED2D899F9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+Gp7AACgkQ8Mjk52CukIz0CwCeJKUwSwMDgsv4gxBLyU2pxr4w
LLsAnRenUJBN1ZZ8iISlu0dLcNpaHFvy
=RgXC
-----END PGP SIGNATURE-----
--------------enigD25BA809F515079ED2D899F9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F86A7AA.2040409>