FTP oddness, over SSH session.

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Apr 12 10:00:21 UTC 2012 

On 12/04/2012 10:28, Frank Bonnet wrote:
> why not ftp over TLS ? like proftpd or pure-ftpd can do ?

Because it is pretty much impossible to firewall securely.  Either you
don't encrypt the control channel or you have to give any firewalls
between you and your destination keys to be able to decrypt the traffic
(in which case you might just as well not bother encrypting it at all)
or you have to open up a whole load of ports to accept incoming traffic
('you' being typically the FTP server admin for PASV mode FTP;
otherwise, you'ld need to do similarly on the client for active mode
FTP.)  FTP is fundamentally broken and simply encasing it in a layer of
encryption only exacerbates the fundamental flaws.

The FTP protocol is an archaic remnant of some mythical golden age of
the internet when you could generally trust anyone else with access to
the net[*].  Given what the past 40 years or so have shown us about the
realities of global networking, it is high time that it was obsoleted
and the world switched to some of the many better alternatives that have
since been developed.

   * HTTP -- obviously works fine for download.  It can support upload
     too: there's a little-used PUT command, or you can use such things
     as WEBDAV.  Easy to run over TLS by using HTTPS.

   * RSYNC -- has an anonymous mode which works fine for generic
     downloads.  For authenticated access defaults to ssh(1) for all
     traffic.

   * SFTP or SCP -- for those who are unwilling or unable to
     contemplate using anything other than an FTP client, SFTP will
     pose as one, while still properly securing all your traffic.  SCP
     is (IMHO) a nicer interface for general day-to-day copying stuff
     between machines though.

	Cheers,

	Matthew

[*] Believe it or not, at one time it was generally accepted that mail
servers should be configured as open relays.  This was so that if your
own mailserver was playing up, you could easily borrow a neighbours
server to send messages.  Then spam was invented.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120412/45270310/signature.pgp

More information about the freebsd-questions mailing list