[BlueOnyx:05730] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Jeff Jones jeffrhysjones at mac.com
Tue Nov 9 04:38:00 -05 2010 

Thanks guys,

Just one point though - Michael - you seem to have lumped SFTP/FTPS/mod_sftp) all in to the same bracket - and then refer to FTP over SSL as something else. FTPS *IS* FTP over SSL!

So to clarify:

FTPS = FTP over SSL (Explicit or Implicit)

Just like HTTPS is HTTP over SSL. Uses SSL/TLS & x.509 certs for authentication. Not so firewall friendly (required 2nd data channel). Not as client compatible as SFTP. Communication can be 'logged' for session diagnostics.

SFTP = SSH File Transfer Protocol. 

Uses SSH keys. No session logging. More client compatible than FTPS

You then go on to say that SFTP / FTPS all send data in the clear - hmm - not sure about that either!

FTPS (FTP over SSL) has both a COMMAND channel (for authentication) and a separate DATA channel - so it is FTPS *not* SFTP which can enable you to encrypt the command / authenticate part of the communication (via AUTH TLS or AUTH SSL commands) and the DATA channel (PROT). So with FTPS you can have COMMAND encrypted and DATA in the clear. 

There is actually a lot to be said for using FTPS with secure COMMAND and unencrypted DATA channel. If you are using high end security scanning equipment - NIDS etc, these devices are unable to 'see' inside encrypted traffic - so someone can upload a virus / trojan no problem at all. By using SSL/TLS for the COMMAND phase only, you keep passwords secure, but can examine and block vulnerable or suspicious content. 

I am still interested to learn more about this mod_sftp module - I'm not sure it's behaviour mirrors that of full blown SSH - if it did - I agree there would be no point to run this.

Cheers,

Jeff


On 9 Nov 2010, at 01:40, Michael Stauber wrote:

> Hi Jeff,
> 
>> This is a teeny bit off topic, but how about BX using proftp with mod_sftp?
>> 
>> Using this would mean you get full secure file transfer, plus, unlike using
>> OpenSSL for ssh / sftp, you don't have to worry about giving shell access,
>> jails etc.
>> 
>> Some clear instructions here:
>> 
>> http://www.directadmin.com/forum/showthread.php?t=30607
>> 
>> Any see any reason why this method would not work with BX? How tricky would
>> this be to build in?
> 
> Chuck Tetlow posted a reply which pretty much outlines why we don't do that:
> 
> You'd have to have SSH and/or shell access enabled for the respective 
> accounts, which opens a whole new can of worms security wise.
> 
> There are different methods available for securing FTP. 
> 
> One of them is supported on BlueOnyx out of the box:
> 
> - Secure FTP (SFTP/FTPS/mod_sftp) 	<- NOT SUPPORTED
> 
> - FTP over SSL 						<- SUPPORTED in BlueOnyx (out of the box!)
> 
> 
> 1.) Secure FTP:
> 
> Secure FTP transmits the authentication dialogue between FTP client and server 
> in an encrypted SSH session. However, the actual data transfer is handled 
> through an unencrypted regular FTP session and is submitted "in the clear".
> 
> 2.) "FTP over SSL":
> 
> Opposed to "Secure FTP" the FTP session itself gets encrypted - without 
> sending all the data over a separate SSH connection. Instead the control 
> channel *and* the data-channel of the FTP session are encryped through SSL or 
> TLS. Even server to server FTP connections (FXP) can be encrypted via SSL/TLS, 
> which is not yet possible with "Secure FTP". Thanks to "FTP over SSL" it is 
> now possible to completly encrypt a passive FTP session. If active FTP is 
> used, then it's possible to use "implicit SSL", which immediately allows to 
> start the session encrypted without first issuing "AUTH SSL" or "AUTH TLS" 
> through an unencrypted plain text command during the startup of the 
> connection. 
> 
> FTP over SSL also works if no SSH connection is allowed or if the FTP user has 
> no shell assigned. The only requirement is that the user is allowed to login 
> by FTP and that he is not suspended.
> 
> FTP clients that support "FTP over SSL":
> 
>    * Cyberduck: (Mac OS X (GPL))
>    * FlashFXP: FTPS client (Win32)
>    * FileZilla: SFTP & FTPS client (GPL) 
>    * FireFTP: Firefox-Extension for FTP and FTPS (since Version 0.96.4) 
>    * lftp: FTPS cli based FTP client (Unix (GPL))
>    * PSFTP: sFTP & FTPS client (Win32)
>    * SmartFTP: sFTP & FTPS client (Win32)
>    * Speed Commander: (Shareware)
>    * Total Commander 
>    * WISE-FTP: sFTP & FTPS Client for Windows
>    * coreFTP: sFTP & FTPS Client for Windows
>    * WinSCP: sFTP & FTPS & SCP Client for Windows (FTPS since version 4.2)
> 
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101109/f1eb0408/attachment.html>

More information about the Blueonyx mailing list