Re: FTP-SSL

To: debian-security@lists.debian.org
Subject: Re: FTP-SSL
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Sat, 21 Dec 2002 02:31:43 +0000
Message-id: <5fi70vop45u0dvl7c6uhfk11hl6ugvsq4p@4ax.com>
In-reply-to: <001e01c2a67b$5c5f4190$f5016480@amatas>
References: <20021212150824.38161.qmail@mail.com> <200212130856.02524.debiansec@berndes.com> <001e01c2a67b$5c5f4190$f5016480@amatas>

On Wed, 18 Dec 2002 10:53:45 +0100, <abelmmg@yahoo.es> wrote:

>and I need some ftp-ssl client for windows 2000, is there anyone free ?

I use FileZilla (http://filezilla.sourceforge.net), which is free and
GPL'd, and lean and fast, and has a fairly nice interface.  It does
FTP, SFTP over SSH2, and two kinds of FTP over SSL ("implicit
encryption" and "explicit encryption"). I've used the FTP mode (works
fine), and the SFTP mode to a Debian system running OpenSSH - worked
fine for me and the SFTP user interface it gave me was just like a
regular FTP client session (I couldn't tell the difference).

[I've never even seen an FTP-SSL server, never mind tested against one
- does anyone know any pros & cons versus SFTP ? ]

FileZilla also interfaces with PuTTY if installed, to make use of
PuTTY's keystore for authenticating against the SFTP server - sounds
useful but I didn't try it yet.

As far as the argument about SCP vs SFTP is concerned, I wouldn't know
myself, but PuTTY's helpfile says this :

============================< cut >===============================
If you have an SSH 2 server, you might prefer PSFTP ... for
interactive use. PSFTP does not in general work with SSH 1 servers,
however.

[There is a security problem with the way SCP connections handle
wildcard filenames that is due to] a fundamental insecurity in the
old-style SCP protocol: the client sends the wildcard string (*.c) to
the server, and the server sends back a sequence of file names that
match the wildcard pattern. However, there is nothing to stop the
server sending back a different pattern and writing over one of your
other files: if you request *.c, the server might send back the file
name AUTOEXEC.BAT and install a virus for you. Since the wildcard
matching rules are decided by the server, the client cannot reliably
verify that the filenames sent back match the pattern.

PSCP will attempt to use the newer SFTP protocol (part of SSH 2) where
possible, which does not suffer from this security flaw. If you are
talking to an SSH 2 server which supports SFTP, you will never see
this warning.

If you really need to use a server-side wildcard with an SSH 1 server,
you can use the -unsafe command line option with PSCP:

 [example snipped]

This will suppress the warning message and the file transfer will
happen. However, you should be aware that by using this option you are
giving the server the ability to write to any file in the target
directory, so you should only use this option if you trust the server
administrator not to be malicious (and not to let the server machine
be cracked by malicious people).

[...]

PSFTP, the PuTTY SFTP client, is a tool for transferring files
securely between computers using an SSH connection.

PSFTP differs from PSCP in the following ways:

PSCP should work on virtually every SSH server. PSFTP uses the new
SFTP protocol, which is a feature of SSH 2 only. (PSCP will also use
this protocol if it can, but there is an SSH 1 equivalent it can fall
back to if it cannot.)
============================< cut >===============================

Hope some of that helps :)

Nick Boyce
Bristol, UK
--
Special Relativity: The person in the other queue thinks yours is
moving faster.

Reply to:

References:
- FTP-SSL
  - From: "Yahoo" <abelmmg@yahoo.es>

Prev by Date: Re: /usr/lib/libkssl.so.2.0.2
Next by Date: Re: CUPS vulnerabilities (remote root compromise)
Previous by thread: Re: FTP-SSL
Next by thread: RE: FTP-SSL
Index(es):
- Date
- Thread