LISTSERV - SCIENTIFIC-LINUX-USERS Archives

I'm going to merge a few replies here.

vsftpd is referred to as "very secure ftp daemon". This, unfortunately,
means absolutely nothing in terms of the FTP protocol itself. It refers to
its well-written code, its simple and legible and reliable configuration
options, and the complete discard of the antique and very patched mess that
was the legacy wu-ftpd.

vsftpd supports FTPS, which is FTP over SSL tunnels, but it is not enabled
by default. So simply having the package says nothing about whether
someone, or their clients, are using or only using FTPS. So LDAP based
password access, especially if the LDAP is linked to Active Directory or
other login services, is a real security risk in today's world of
rootkitted laptops living inside "secure" networks, and external FTP
traffic crossing public wires. This is why I asked whether the original
poster was using it.

FTP also suffers, and has always suffered, from firewall and router
confusion with the dual-port protocol for data and command signals.

There are numerous command line and some good graphical clients available
for FTPS. curl, and lftp, support it quite well.

SFTP.... is another story. The protocol is entierly distinct, it does not
know a symlink from a hole in its head, and there are no provisions for
handling local timezone display differences between the server and the
client's configuration. The results can be..... nightmarish if you expect
it to act like FTP, and nightmarish if you're not aware of the flaws. And
the overburdening of port 22 for SSH sessions, SCP sessions, and SFTP
sessions makes the protocol very difficult to manage in a security sense:
if you allow SFTP on the standard port through your firewalls, you're also
allowing SSH. That...... can be awkward to protect against or manage.

Don't get me *started* on the SFTP/SSH hostkey whackiness. It's another
subject for another time. And in case it's not clear, I wrote and
published the first SunOS ports of ssh-1, ssh-2, and OpenSSH, so I've
worked extensively with it for many years.

All that is why I've gotten fond of WebDAV over HTTPS. Everyone leaves port
443 open, it works well through proxies, running it on Apache gives good
access control, and you have a wide variety of workable authentication and
account management tools. And it's built into many browsers and GUI's.