[BlueOnyx:05773] Re: http://bugs.proftpd.org/show_bug.cgi?id=3521

Jeff Jones jeffrhysjones at mac.com
Thu Nov 11 07:44:54 -05 2010 

Hi all,

Just thought I would clarify some stuff about mod_sftp in order to set the record straight - hopefully it will dispel some myths / confusions about it on this list....

First of all - quick recap:

SFTP = SSH File Transfer Protocol - not supported by BX - works *like* SSH. Single channel for commands and data.
FTPS = FTP over SSL/TLS - supported by BX - works *like* FTP. Two channels, one command, one data.

ProFTP supports BOTH.

For FTPS the mod_tls module is used
For SFTP the mod_sftp module is used

More things I have learnt about mod_sftp:

1) mod_sftp is nothing to do with SSH/SHELL/SFTP that runs on your BX box via port 22 (default). Yes it uses SSH protocol, but that's the only similarity.

2) mod_sftp does NOT give users a shell, nor does it give users access to browse the entire server. It works just like ftp does with proftp.

3) mod_sftp is more firewall friendly than mod_tls - this is because it uses the SSH protocol - command and data run over a single port. Mod_tls works like FTP and as such requires two ports to work, a command channel and a data channel, as such - is more difficult to NAT & traverse through firewalls. This is more of an SSH vs FTP argument rather than mod_sftp vs mod_tls!

4) mod_sftp is just as client compatible than mod_tls - it uses ssh. Any file transfer client that supports SFTP will work, I'm not sure that is the same for mod_tls?

5) You can (and probably should) change your SSH shell port from 22 to something else for security best practice. This is easy to do in the BX GUI admin. This means you can then run proftp on port 22 no problems. But you can run ProFTP on any port, regardless of whether you are using FTP, FTPS or SFTP! The port argument is a non-issue I think.

6) mod_sftp provides a 100% secure end to end means of transferring data to the server, however, unlike mod_tls, I don't think server to server transfers are supported.

7) mod_sftp uses ssh keys for authentication, mod_tls uses x.509 certs - which (I believe) it is not easily possible to import your own with BX (I was told this was not possible) you have to use a local self signed one. However for non BX boxes I have been told setting up an x.509 cert for ProFTP is just as easy as setting a cert for apache. No idea why BX is different here!

8) mod_sftp still enables you to change file ownership via a supporting client after you have uploaded a file (if permitted by proftp configuration) via SETSTAT / FSETSTAT. With mod_tls this is also possible via SITE CHGRP.

9) The recent bug / critical proftp vulnerability did not affect proftp installations running the mod_sftp module. The issue was regarding Telnet commands, which FTP accepts. SSH does not accept telnet commands. 

10) It's possible (via ProFTP mod) to run BOTH ftp on port 21 AND mod_sftp on port 22 at the SAME TIME. Likewise, it's also possible to deny FTP and force mod_sftp.

The whole SFTP vs FTPS argument is well documented on the internet there is a good item about it here on the proftp site.

http://www.proftpd.org/docs/contrib/mod_sftp.html

Hope this is useful....  personally, it's another 'horses for courses' type argument I guess. For me, I would prefer BX implemented mod_sftp because I believe it to be less prone to vulnerabilities (does not accept telnet commands), less chance of users misconfiguring FTP clients (mod_tls you have issues with implicit / explicit settings), and with a single port, less ports to open to your server, and simpler Firewall setups.

(Thanks to TJ for answering my questions about his mod_sftp module!)

Cheers,

Jeff



On 9 Nov 2010, at 01:40, Michael Stauber wrote:

> Hi Jeff,
> 
>> This is a teeny bit off topic, but how about BX using proftp with mod_sftp?
>> 
>> Using this would mean you get full secure file transfer, plus, unlike using
>> OpenSSL for ssh / sftp, you don't have to worry about giving shell access,
>> jails etc.
>> 
>> Some clear instructions here:
>> 
>> http://www.directadmin.com/forum/showthread.php?t=30607
>> 
>> Any see any reason why this method would not work with BX? How tricky would
>> this be to build in?
> 
> Chuck Tetlow posted a reply which pretty much outlines why we don't do that:
> 
> You'd have to have SSH and/or shell access enabled for the respective 
> accounts, which opens a whole new can of worms security wise.
> 
> There are different methods available for securing FTP. 
> 
> One of them is supported on BlueOnyx out of the box:
> 
> - Secure FTP (SFTP/FTPS/mod_sftp) 	<- NOT SUPPORTED
> 
> - FTP over SSL 						<- SUPPORTED in BlueOnyx (out of the box!)
> 
> 
> 1.) Secure FTP:
> 
> Secure FTP transmits the authentication dialogue between FTP client and server 
> in an encrypted SSH session. However, the actual data transfer is handled 
> through an unencrypted regular FTP session and is submitted "in the clear".
> 
> 2.) "FTP over SSL":
> 
> Opposed to "Secure FTP" the FTP session itself gets encrypted - without 
> sending all the data over a separate SSH connection. Instead the control 
> channel *and* the data-channel of the FTP session are encryped through SSL or 
> TLS. Even server to server FTP connections (FXP) can be encrypted via SSL/TLS, 
> which is not yet possible with "Secure FTP". Thanks to "FTP over SSL" it is 
> now possible to completly encrypt a passive FTP session. If active FTP is 
> used, then it's possible to use "implicit SSL", which immediately allows to 
> start the session encrypted without first issuing "AUTH SSL" or "AUTH TLS" 
> through an unencrypted plain text command during the startup of the 
> connection. 
> 
> FTP over SSL also works if no SSH connection is allowed or if the FTP user has 
> no shell assigned. The only requirement is that the user is allowed to login 
> by FTP and that he is not suspended.
> 
> FTP clients that support "FTP over SSL":
> 
>    * Cyberduck: (Mac OS X (GPL))
>    * FlashFXP: FTPS client (Win32)
>    * FileZilla: SFTP & FTPS client (GPL) 
>    * FireFTP: Firefox-Extension for FTP and FTPS (since Version 0.96.4) 
>    * lftp: FTPS cli based FTP client (Unix (GPL))
>    * PSFTP: sFTP & FTPS client (Win32)
>    * SmartFTP: sFTP & FTPS client (Win32)
>    * Speed Commander: (Shareware)
>    * Total Commander 
>    * WISE-FTP: sFTP & FTPS Client for Windows
>    * coreFTP: sFTP & FTPS Client for Windows
>    * WinSCP: sFTP & FTPS & SCP Client for Windows (FTPS since version 4.2)
> 
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list