|
Is there any advantage in using an FTPd in a chroot environment over using SFTP that is standard with SSHd? |
|
If you are transferring content that might have legal, personal, or financial information, make sure your organization understands its liabilities and possible compliance obligations. The only compelling reasons I can think of are when you have customers that are unable to connect using a ssh/tls/sftp capable client, or they are using an embedded device for ftp, or the security of account credentials is essentially worthless and the data does not contain personally identifiable materials. If you have actual security concerns, do not use ftp and discourage your clients from using it. Anyhow, the benefits of ftp as a protocol have mostly been surpassed by https POST, PUT, and/or webdav. Of course there are lots of howtos on the Internet providing instructions for things that are not best practice. I wouldn't misconstrue their presence as much wisdom, only prevalence. Password sniffing is easy. Consult SANS and research the topic "defense in depth." |
|
FTP transmits the password in plain text, so unless you're going over a local network, use SFTP (or some other more secure method). I know that sftp is more secure, I'm looking for reasons to use ftp over sftp because I keep seeing guides and articles about ftp servers and wonder why anyone would go through all that trouble when 99% of linux servers have sftp baked in.
(10 May '10, 23:40)
ranxxerox
|
|
rssh provides the best of both worlds -> you chroot users, restrict them to just sftp access, lots of good stuff http://www.pizzashack.org/rssh/ ; also, modern versions of openssh support chroot |
|
Apart from the obvious differences that ftp is cleartext and sftp is encrypted. FTP is an old technology and people generally recommend moving to newer alternatives such as rssh/ssh/sftp as its implementation is flawed in the modern age. It should be noted FTP uses different ports for control data (TCP: 20) and another port for transferring data (TCP: 21). With organisations using stateful firewalls this can cause issues when trying to transfer data. This is better described in the below link outlining the differences between Active/Passive mode. SFTP only uses one port and does not have these drawbacks. http://slacksite.com/other/ftp.html I know this specifically does not answer your question but may be a consideration when you are choosing which to go with. |
|
These are two different things. A chroot'ed program runs in a restricted environment, meaning it should not interfere with other parts of the system. This is more in the realm of the OS. If the data is transferred in open or encrypted is the job of the server software (and what the client can accept). You suggest sftp, but other protocols (https, ssh are othe possibilities). In short, any program can be chroot'ed. Transferral of the data (open/encrypted) depends on the software (server AND client). In your case, if users are pulling data from your server, I will recommend sftp (https may also be a possibility and users won't need another client). If your server is behind a well kept firewall, and the server software is well behaved, you may not need chroot. The cost of chroot is just the installation (recreate the environment, copy files to the chroot'ed new directory structure, remembering to update). It is only done once, and may give you a little more peace of mind. Sorry it went so long. |
|
European beads Chamilia beads Troll beads Biagi beads
[URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]European beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Chamilia beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Troll beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Biagi beads[/URL] [URL=http://www.hydiapearl.com/pandora-beads-c-27_657_42.html]pandora jewelry[/URL] YOU MUST NOT MISS IT!!! free shipping come best quality guarantee!! |
