[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC2228-only FTP ?

I wrote:
>>All they know is someone sold them
>> a "secure FTP program" and they can't understand why I want them
>> to dump it and use the known-to-be-broken WinSCP instead.

Alex replied:
>Whats broken in winscp?  Its working fine for about 400 clients here

I don't have any MS-Windows boxes to test it with, so this
is all second hand.
My users complain about WinSCP all the time.  The #1 issue is
it seems to come up with weird file permission defaults.
Mostly they are uploading HTML files to a Web server, and
it turns off other-read permission.  Or it turns off
other-execute on directories, so the Web server can't see
inside them.

There was an issue with WinSCP not really using SSH2's SFTP,
but simulating it with some kind of shell stuff.  So your users
need a shell or they can't use it.  I'd like to give some
of them /bin/true and just let them upload files but not
run any commands.  I see that has been fixed in WinSCP3.

But the biggest reason people want to use FTP-with-extensions
is it is built into Dreamweaver and Go Live and Front Page,
and those industry standard programs don't seem to
support SSH2/SFTP.  Probably for ideological or monopoly
enforcement reasons, but that doesn't matter.

I don't want to argue with my users about what software they
use on their client boxes.  They all know Microsoft sucks and
they are planning on getting off it someday.  But meanwhile
they are all very busy and just want to use the same tools
they can use with commercial Web hosting companies.
If I tell them Debian can't support FTP-with-extensions,
they will conclude that Debian is inferior to commercial
hosting environements.  I have lost about 5% of my users over this,
they do not want to use SSH, they want to use integrated
Web-authoring software with built in "publish" features that
use FTP or DAV.  But many of them are on cable modem so I have to
prevent them from using FTP with clear text passwords.

The fact is that FTP with security extensions is the
defacto standard way of solving the clear text password
exposure problem in the commercial Web hosting world.
Millions of people use it.  SSH2/SFTP may be technologically
superior, but it is not what most places use.  If you go to
Barns and Noble or some other large bookstore you will find
dozens and dozens of beginners' books about Web authoring.
They all describe the process of uploading files through
FTP or DAV.  Hardly any of them mention SSH2/SFTP at all.


Reply to: