Looking for a secure ftp sw

Ed Wilts ewilts at ewilts.org
Mon Mar 14 12:42:28 UTC 2005 

On Mon, Mar 14, 2005 at 11:42:07AM +0100, Padiyath Sreekumaran wrote:
> 
>    At present we are using ProFTPD on our ftp server.
>    On this server we have anonymous ftp access as well
>    as access to pre defined project users(via projectname/password).
>    These people also access via ftp. Our security person likes to have
>    sftp instead of ftp access to these project accounts. I have NOT
> configured  this server.
>    I would like to know the following:
> 
>    Is it possible to use annonymous ftp as well as sftp
>    access to the same ftp server? If possible how one has to
>    configure FTP server?

sftp and ftp are totally different servers and are not related to each
other at all.  sftp isn't a secure version of ftp - it's simply an ssh
server that emulates some ftp commands.

>    Is there a better FTP SW(more secure) than ProFTPD for server usage?

All FTP servers basically have the same issue - the data and control
traffic are in plain text, and that's your security person's concern.  
ProFTPd (and others) support TLS which provides an encryption layer
inside of the FTP server.  In some cases these work fairly well.  In
other cases, they don't work at all because of the restrictions in the
FTP protocol.  Search for TLS on the proftpd.org site.  For example, see
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

Sftp has its own set of limitations.  For example, Red Hat does not
currently offer an sftp server that allows you to configure any sort of
restrictions at all.  Given sftp access to the server, your customers
could easily turn your system into an instant pirate site by using /tmp
as a transfer location.  They could retrieve all of your pam
configuration files to see if you disable accounts after a predetermined
number of failed logins.  They could then retrieve /etc/passwd and issue
a complete denial of server on your system by disabling all of your
accounts.  Its limitations like this that actually make ftp *more*
secure than sftp in many environments even with the unencrypted traffic.

You may want to consider using gpg to encrypt your data traffic.  Your
username/password information still flows in plain text, but the data is
encrypted.  You still have the powerful configuration directives in
ProFTPd.
 
>    We are using RedHat as OS on the FTP server.

Red Hat is a company, not an OS.  There are many versions of their
distributions and you can look at /etc/redhat-release to see which one
you are running.  In this case, however, the specific version doesn't
matter.

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program

More information about the redhat-list mailing list