"Menno Duursma" <menno@desktop.lan> wrote in message
newsan.2006.03.10.13.37.44.889430@desktop.lan...
> On Fri, 10 Mar 2006 07:21:41 -0500, Nico Kadel-Garcia wrote:
>> Menno Duursma wrote:
>>> On Thu, 09 Mar 2006 18:35:06 +0000, Bill Davidsen wrote:
>>>> Nico Kadel-Garcia wrote:
>>>
>>>>> I'd actually moving away from FTP to HTTPS for authenticated
>>>>> downloads,
>
> This you can do either way.
>
>>>>> and WebDAV over HTTPS for uploads. It's a lot easier to configure for
>>>>> firewalls for various reasons, and there's little chance of having
>>>>> your traffic sniffed as there is with FTP,
>>>
>>> Why then, not just enable FTPS instead?
>>
>> Because there is none.
>
> http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
>
> (Note if you want Vsftpd supporting port 990 control / 989 data aswell,
> just configure 'stunnel' for it. However very few clients can use that
> anyways so you probably don't have to support it.)
>
>> Seriously: there are easily half-a-dozen different protocols, each
>> called "sftp"
>
> Which is an FTP-like commands accepting proxy to scp, which in turn is
> just rcp over ssh... Neither Vsftpd, Proftpd, or Pureftpd do this.
>
>> or "ftps",
>
> And this is what i'd suggest the OP enable (the firewall need only allow
> incomming on port 21 and outgoing on port 20 plus the passive port range.)
>
>> and many of which have their own adventures in security (such as the
>> OpenSSH sftp failing to keep the users in a chroot cage and allowing
>> access to system files outside the target directory),
>
> "It should not be confused with SSH file transfer protocol":
> http://en.wikipedia.org/wiki/FTPS
>
>> clients that don't support it the particular way you mention, etc., etc.
>
> Well i've had some users complain how WebDAV, and WinSCP and pretty much
> anything but the FTP client they're used to useing sucks. Now both Vsftpd
> and Proftpd atleast support with SSL/TLS enabled: wsftp, filezilla,
> kasablanca, gftp, lftp and curl clients.
>
> [snip]
>
>>> Pureftpd can (currently) only encript the control connection, not the
>>> data, and as such doesn't work with some clients that implicitly expect
>>> otherwize...
>>
>> You see what I mean.
>
> Than don't use Pureftpd? The OP is about Vsftpd so that shouldn't be much
> of a problem. And anyways plenty of clients _do_ work with AUTH TLS (which
> is the method Pureftpd currently _does_ support.)
>
> If the lack of GUI for Vsftpd is a problem maybe look the Webmin module:
> http://groups.google.nl/group/alt.os...51d53002559cbe
>
> Otherwize maybe switch to Proftpd, for which there are plenty of GUI
> tools:
> http://www.debianhelp.co.uk/proftpweb.htm
>
> Gproftpd (not mensioned above) even allows for SSL/TLS cert creation:
> http://mange.dynalias.org/linux.html
>
> Cheers.

You seem not to realize that you're helping make my point. Factor in that
there at least 3 different protocols which have been called "sftp", "ftps",
etc., etc. The situation really suffers from the vagaries of which one you
happen to mean, and which one your client happens to support. Check out
http://en.wikipedia.org/wiki/FTPS for some examples. And the firewall
configurations for the dual-channel approach of FTP are often an....
adventure to configure for in a tight environment where the firewall guru is
being really strict. That's a big advantage of the HTTPS/WebDAV approach:
you just need to allow port 443.

"Plenty of clients" does not mean "most clients", or even "the client my
customer likes". WS-FTP is still in strong use, for example, and plenty of
real-time Linux boxes don't support any of the secure FTP versions. But they
do support web browsers or HTTPS for download!

On Fri, 10 Mar 2006 08:56:23 -0500, Nico Kadel-Garcia wrote:
> "Menno Duursma" <menno@desktop.lan> wrote in message

>> Gproftpd (not mensioned above) even allows for SSL/TLS cert creation:
>> http://mange.dynalias.org/linux.html

> You seem not to realize that you're helping make my point. Factor in that
> there at least 3 different protocols which have been called "sftp",

This is the SSH thingy mensioned before: sftp != ftps

> "ftps", etc., etc.

Well you have either AUTH TLS on port 21 after which we're scrambled,
encription of the data-channel clients should negotiate. However some
(older) send AUTH SSL and assume the data should be encripted too, Vsftpd
can cope with this.

The older suggestion was to listen on port 990 for connections with an SSL
header (conventionally active ftp-data connects from one port less then
ftp-control, so that's 989. However with passive-mode data a range is used
whatever port the control channel happens to run on.)

So you basically have two ways... And Vsftpd can be configured to accept
the first itself (with either SSLv2, v3 or TLSv1 supporting a whole list
of cyphers, and pretty much any command a client might send). The 990 port
is deprecated and wasn't used often in the first place, some kind of SSL
proxy in front of any FTP daemon should do, if anyone needs it though.

> The situation really suffers from the vagaries of which one you happen
> to mean, and which one your client happens to support. Check out
> http://en.wikipedia.org/wiki/FTPS for some examples.

I know:
curl -D - http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html | \
grep Menno

> And the firewall configurations for the dual-channel approach of FTP are
> often an.... adventure to configure for in a tight environment where the
> firewall guru is being really strict. That's a big advantage of the
> HTTPS/WebDAV approach: you just need to allow port 443.
>
> "Plenty of clients" does not mean "most clients", or even "the client my
> customer likes". WS-FTP is still in strong use,

That works (with the AUTH SSL option and SSLv[23] server support):
http://www.ipswitch.com/Support/WS_F...08sslutil.html

> for example, and plenty of real-time Linux boxes don't support any of
> the secure FTP versions. But they do support web browsers or HTTPS for
> download!

HTTPS for download: fine (although rate-limiting is easier with FTPS).
Idunno about the security implications of WebDAV BTW:

lynx -dump http://www.apsis.ch/pound/ | grep -B22 Subversion

Modern FTP(S) servers, especially Vsftpd (i read some of the code) are
rather paranoid in their input validation checking, usage of privs etc.

--
-Menno.