[BlueOnyx:05729] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Michael Stauber mstauber at blueonyx.it
Mon Nov 8 20:40:36 -05 2010 

Hi Jeff,

> This is a teeny bit off topic, but how about BX using proftp with mod_sftp?
> 
> Using this would mean you get full secure file transfer, plus, unlike using
> OpenSSL for ssh / sftp, you don't have to worry about giving shell access,
> jails etc.
> 
> Some clear instructions here:
> 
> http://www.directadmin.com/forum/showthread.php?t=30607
> 
> Any see any reason why this method would not work with BX? How tricky would
> this be to build in?

Chuck Tetlow posted a reply which pretty much outlines why we don't do that:

You'd have to have SSH and/or shell access enabled for the respective 
accounts, which opens a whole new can of worms security wise.

There are different methods available for securing FTP. 

One of them is supported on BlueOnyx out of the box:

- Secure FTP (SFTP/FTPS/mod_sftp) 	<- NOT SUPPORTED

- FTP over SSL 						<- SUPPORTED in BlueOnyx (out of the box!)


1.) Secure FTP:

Secure FTP transmits the authentication dialogue between FTP client and server 
in an encrypted SSH session. However, the actual data transfer is handled 
through an unencrypted regular FTP session and is submitted "in the clear".

2.) "FTP over SSL":

Opposed to "Secure FTP" the FTP session itself gets encrypted - without 
sending all the data over a separate SSH connection. Instead the control 
channel *and* the data-channel of the FTP session are encryped through SSL or 
TLS. Even server to server FTP connections (FXP) can be encrypted via SSL/TLS, 
which is not yet possible with "Secure FTP". Thanks to "FTP over SSL" it is 
now possible to completly encrypt a passive FTP session. If active FTP is 
used, then it's possible to use "implicit SSL", which immediately allows to 
start the session encrypted without first issuing "AUTH SSL" or "AUTH TLS" 
through an unencrypted plain text command during the startup of the 
connection. 

FTP over SSL also works if no SSH connection is allowed or if the FTP user has 
no shell assigned. The only requirement is that the user is allowed to login 
by FTP and that he is not suspended.

FTP clients that support "FTP over SSL":

    * Cyberduck: (Mac OS X (GPL))
    * FlashFXP: FTPS client (Win32)
    * FileZilla: SFTP & FTPS client (GPL) 
    * FireFTP: Firefox-Extension for FTP and FTPS (since Version 0.96.4) 
    * lftp: FTPS cli based FTP client (Unix (GPL))
    * PSFTP: sFTP & FTPS client (Win32)
    * SmartFTP: sFTP & FTPS client (Win32)
    * Speed Commander: (Shareware)
    * Total Commander 
    * WISE-FTP: sFTP & FTPS Client for Windows
    * coreFTP: sFTP & FTPS Client for Windows
    * WinSCP: sFTP & FTPS & SCP Client for Windows (FTPS since version 4.2)


-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list