Difference between revisions of "FTP tips"

From Noah.org
Jump to navigationJump to search
(New page: Category:Engineering FTP is about the worst solution for file transfers. Not only is data transfer unencrypted but even user passwords are sent in the clear when you login. FTP is als...)
 
Line 3: Line 3:
 
FTP is about the worst solution for file transfers. Not only is data transfer unencrypted but even user passwords are sent in the clear when you login. FTP is also a pain in the ass to get through firewalls. So if you want to make a SysAdmin cringe then ask them install an FTP server.
 
FTP is about the worst solution for file transfers. Not only is data transfer unencrypted but even user passwords are sent in the clear when you login. FTP is also a pain in the ass to get through firewalls. So if you want to make a SysAdmin cringe then ask them install an FTP server.
  
That said, if you must install FTP then probably your best bet is [http://vsftpd.beasts.org/ vsftpd]. It supports SSL and can force a client to use SSL before they can send a password (force_local_logins_ssl). Of course, this assumes your user is capable of finding, installing, and configuring an FTP client with SSL support. In my experience, the biggest excuse for management wanting to install FTP is to support clients who can most kindly be described as naive users. SSL is optional and never the default in any FTP client I have ever seen, so you have to explain to the user what SSL is and then help them find where their FTP client may have hidden the SSL option -- if the FTP client offers that feature in the first place... As long as you are willing to go through that trouble you might as well save yourself some effort by refusing FTP connections and forcing the user to find a file tranfser client that supports SFTP. Many FTP clients already support SFTP and in my experience choosing the SFTP option is easier than trying to configure the FTP option with SSL. For example, Fetch -- the most popular Mac FTP client supports SFTP. When setting up a connection, you simply choose SFTP from the drop-down list called "Connect using" (OK, Mac people insist on call it a pop-up menu.)... So unless you are willing to totally throw security out the window it's actually easier to just do the right thing and use SFTP.
+
The only way to make FTP somewhat secure is to use a server that support SSL encryption. This is an encryption layer on top of FTP. Of course, this assumes your users are capable of finding, installing, and configuring an FTP client that supports SSL encryption. In my experience, the biggest excuse for management wanting to install an FTP server is to support clients who can most kindly be described as naive users. SSL is optional and never the default in any FTP client I have ever seen, so you have to explain to the user what SSL is and then help them find where their FTP client may have hidden the SSL option. As long as you are willing to go through that trouble you might as well save yourself some effort by refusing FTP connections and forcing the user to find a file transfer client that supports SFTP. SFTP has encryption built-in from the start. Many FTP clients already support SFTP and in my experience choosing the SFTP option is easier than trying to configure an FTP connection with the SSL option. For example, Fetch supports SFTP. Fetch is the most popular FTP client for Mac OS X. When setting up a connection, you simply choose SFTP from the drop-down list called "Connect using:" (OK, Mac people insist on call it a pop-up menu.)... So unless you are willing to totally throw security out the window, it's actually easier to just do the right thing and use SFTP.
  
Note that SFTP stands for the SSH File Transfer Frotocol not to be confused with the ancient and abandoned Simple FTP or Trivial FTP (TFTP). SFTP is related to SCP. I have never found an SSH server that does not support both SCP and SFTP.
+
That said, if you must install an FTP server then probably your best bet is [http://vsftpd.beasts.org/ vsftpd]. It supports SSL encryption and can force a client to connect using SSL before they can send a password (force_local_logins_ssl).
 +
 
 +
Note that SFTP stands for the SSH File Transfer Frotocol not to be confused with the ancient and abandoned Simple FTP or Trivial FTP (TFTP). SFTP is related to SCP. I have never found an SSH server that does not support both SCP and SFTP. SFTP has no relationship with FTP except that both at File Transfer Protocols.

Revision as of 13:35, 19 July 2008


FTP is about the worst solution for file transfers. Not only is data transfer unencrypted but even user passwords are sent in the clear when you login. FTP is also a pain in the ass to get through firewalls. So if you want to make a SysAdmin cringe then ask them install an FTP server.

The only way to make FTP somewhat secure is to use a server that support SSL encryption. This is an encryption layer on top of FTP. Of course, this assumes your users are capable of finding, installing, and configuring an FTP client that supports SSL encryption. In my experience, the biggest excuse for management wanting to install an FTP server is to support clients who can most kindly be described as naive users. SSL is optional and never the default in any FTP client I have ever seen, so you have to explain to the user what SSL is and then help them find where their FTP client may have hidden the SSL option. As long as you are willing to go through that trouble you might as well save yourself some effort by refusing FTP connections and forcing the user to find a file transfer client that supports SFTP. SFTP has encryption built-in from the start. Many FTP clients already support SFTP and in my experience choosing the SFTP option is easier than trying to configure an FTP connection with the SSL option. For example, Fetch supports SFTP. Fetch is the most popular FTP client for Mac OS X. When setting up a connection, you simply choose SFTP from the drop-down list called "Connect using:" (OK, Mac people insist on call it a pop-up menu.)... So unless you are willing to totally throw security out the window, it's actually easier to just do the right thing and use SFTP.

That said, if you must install an FTP server then probably your best bet is vsftpd. It supports SSL encryption and can force a client to connect using SSL before they can send a password (force_local_logins_ssl).

Note that SFTP stands for the SSH File Transfer Frotocol not to be confused with the ancient and abandoned Simple FTP or Trivial FTP (TFTP). SFTP is related to SCP. I have never found an SSH server that does not support both SCP and SFTP. SFTP has no relationship with FTP except that both at File Transfer Protocols.