Re: Watch out! vsftpd anonymous access always enabled!

To: debian-security@lists.debian.org
Subject: Re: Watch out! vsftpd anonymous access always enabled!
From: Dariush Pietrzak <eyck@forumakad.pl>
Date: Thu, 25 Sep 2003 08:27:19 +0200
Message-id: <[🔎] 20030925062719.GA8145@forumakad.pl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] E1A1X8W-00084G-00@calista.inka.de>
References: <[🔎] 20030922113343.GA3248@forumakad.pl> <[🔎] E1A1X8W-00084G-00@calista.inka.de>

On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote:
> In article <[🔎] 20030922113343.GA3248@forumakad.pl> you wrote:
> > Why do you think there's anything wrong with ftp?
> 
> FTP is a firewal nightmare,
 You think? Firewalls are nightmare, and the only result of prefering
http-only protocols is what you'll see in nearest future: 
 Every single new protocol is http and work via 80/443 port.
How's that for a firewall nightmare? 
 Now you've got www traffic, file transfer, instant messaging, REMOTE
PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious
firewall. 
 
> it is unsecure (plaintext),
 since when? It's only plaintext if you want it. 
 You can choose/negotiate 'authentication, confidentiality and message
 integrity'.
  You can even change securelevels in runtime - encrypt only authentication
 ( cool for transferring non-sensitive bulk data like movies/allready
 encrypted backups ), encrypt selected files, etc etc.. Check:
  RFC 959 (FTP)
  RFC 2246 (TLS)
  RFC 1579 (Firewall-friendly data exchange)
  RFC 2228 (FTP security extensions)
  ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt )
That RFC is from 1997...
Of course there are servers that will let you in only if you present them
with correct client certificate, and force you to use encryption. 
 Nice thing is that I'm in control, when I need to transfer something big off
the 486, I could choose to encrypt only authentication if the data is not
sensitive. 

>the more advanced
> features are not standadized.
 Nooo? Which 'advanced features'?
Although you've got a point - there are way to many standards and advanced
features in FTP. There are some ~two decades old RFC that describe how FTP
is supposed to enable starting jobs on mainframes. 
 And this 'advanced feature' is disabled on most FTP servers I've seen.

Which other transfer method is better standardized? SFTP?
Which SFTP? SFTP from RFC 913 from 1984?


> Even parsing the directory output is terror to
> the programmer.
 I found ftp protocol trivial to implement for programmer. Show me transfer
method that easier to implement.

greetings,
-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Reply to:

Follow-Ups:
- Re: Watch out! vsftpd anonymous access always enabled!
  - From: Tobias Reckhard <jester71@gmx.net>

References:
- Re: Watch out! vsftpd anonymous access always enabled!
  - From: Dariush Pietrzak <eyck@forumakad.pl>
- Re: Watch out! vsftpd anonymous access always enabled!
  - From: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>

Prev by Date: Re: services installed and running "out of the box"
Next by Date: Re: The same debian - different packages
Previous by thread: Re: Watch out! vsftpd anonymous access always enabled!
Next by thread: Re: Watch out! vsftpd anonymous access always enabled!
Index(es):
- Date
- Thread