RFC2228-only FTP ?
I shut off FTP access in January and lost about 10% of my
Web-hosting users. It seems almost all of them
are on MS-Windows, and they have ongoing problems with
their SSH/SFTP clients WinSCP and psftp.exe.
I don't want to bring back plain-old FTP because of
the clear text password problem.
But most of these people have commercial Windoze FTP clients
that support some flavor of RFC2228 FTP security extensions.
Of course, they are "not technical" and do not know which
extensions they can use. All they know is someone sold them
a "secure FTP program" and they can't understand why I want them
to dump it and use the known-to-be-broken WinSCP instead.
Is there an FTP server in woody that I can configure to
refuse plain-old FTP but allow those clients who do
an FTP AUTH before an FTP PASS ? That is, I want to hang
up on FTP clients that don't offer AUTH before they expose
a password. Then I want to authorize those FTP users
whose clients know how to do the defacto standard
encrypted login. I'm not concerned about man-in-the-middle
attacks; I just want to defeat evesdroppers observing
clear text passwords.
Has anyone here done it? What did you use?