From owner-freebsd-questions@FreeBSD.ORG Thu Apr 12 10:00:21 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 767651065673 for ; Thu, 12 Apr 2012 10:00:21 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id B98A48FC0A for ; Thu, 12 Apr 2012 10:00:20 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q3CA0GsT015065 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 12 Apr 2012 11:00:16 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.1 smtp.infracaninophile.co.uk q3CA0GsT015065 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1334224817; bh=yjxrin/Eb1P/3LqTRPTO1cm0Vyqcm0eGKD166KPHyek=; h=Date:From:To:Subject:References:In-Reply-To:Cc:Content-Type: Message-ID:Mime-Version; b=qlVTysyBWaBqtDZ2Dr29zwmSRj0g4hexHr+u0SjDy3HEl9F8Rao58F6pByWMVBKO4 JULVgLZyuCh4isSMglpp64y2xMIX8GN6a8SyONh8w5dQYPkk6CdVM7h/SGlfRrvSEw txB9izgJqKJUfXKX4sWvjRuWbv5vsu4Ruf27jLwY= Message-ID: <4F86A7AA.2040409@infracaninophile.co.uk> Date: Thu, 12 Apr 2012 11:00:10 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4F857029.25481.F2968A@dave.g8kbv.demon.co.uk> <201204111454.54957.jmc-freebsd2@milibyte.co.uk> <4F866DE0.14587.F46D1@dave.g8kbv.demon.co.uk> <87obqx2yo5.fsf@Shanna.FStaals.net> In-Reply-To: X-Enigmail-Version: 1.4 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD25BA809F515079ED2D899F9" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.1 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: FTP oddness, over SSH session. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 10:00:21 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD25BA809F515079ED2D899F9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/04/2012 10:28, Frank Bonnet wrote: > why not ftp over TLS ? like proftpd or pure-ftpd can do ? Because it is pretty much impossible to firewall securely. Either you don't encrypt the control channel or you have to give any firewalls between you and your destination keys to be able to decrypt the traffic (in which case you might just as well not bother encrypting it at all) or you have to open up a whole load of ports to accept incoming traffic ('you' being typically the FTP server admin for PASV mode FTP; otherwise, you'ld need to do similarly on the client for active mode FTP.) FTP is fundamentally broken and simply encasing it in a layer of encryption only exacerbates the fundamental flaws. The FTP protocol is an archaic remnant of some mythical golden age of the internet when you could generally trust anyone else with access to the net[*]. Given what the past 40 years or so have shown us about the realities of global networking, it is high time that it was obsoleted and the world switched to some of the many better alternatives that have since been developed. * HTTP -- obviously works fine for download. It can support upload too: there's a little-used PUT command, or you can use such things as WEBDAV. Easy to run over TLS by using HTTPS. * RSYNC -- has an anonymous mode which works fine for generic downloads. For authenticated access defaults to ssh(1) for all traffic. * SFTP or SCP -- for those who are unwilling or unable to contemplate using anything other than an FTP client, SFTP will pose as one, while still properly securing all your traffic. SCP is (IMHO) a nicer interface for general day-to-day copying stuff between machines though. Cheers, Matthew [*] Believe it or not, at one time it was generally accepted that mail servers should be configured as open relays. This was so that if your own mailserver was playing up, you could easily borrow a neighbours server to send messages. Then spam was invented. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigD25BA809F515079ED2D899F9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Gp7AACgkQ8Mjk52CukIz0CwCeJKUwSwMDgsv4gxBLyU2pxr4w LLsAnRenUJBN1ZZ8iISlu0dLcNpaHFvy =RgXC -----END PGP SIGNATURE----- --------------enigD25BA809F515079ED2D899F9--