01-04-2008, 04:27 PM

not sure if this applies to just leopard server or if its a general FTP question, sorry if its in the wrong place.


i understand FTP sends usernames and passwords in plaintext. on my LAN no security is really required beyond having a password (seriously, only i use it and no one knows what it is) but over the net, i use SFTP for security.

i cannot see an option in mac os server to deny logins that use only FTP. do i need to deny non-SFTP logins, or is it more a case of i can choose from the client side how much security is needed, not so much the server side?


its really just to set my mind at rest, and to gain a little more understanding of FTP. thanks in advance.

01-04-2008, 05:05 PM

What you have found is true with any favor of Unix. That is one of the reasons that sftp exists. The only was a person going to get our pass word from using ftp is if they are siffing network traffic. Then they would have to decode the packet information. If you are using sftp only then you should not be concerned.

01-04-2008, 05:26 PM

thanks for the reply

it brings up another question tho..

if the choice of FTP or SFTP is on the client side, and i may in the future allow access to other user accounts than my own, and i need to secure my share but *cannot assume the 2nd user knows anything about network security, AT ALL*, ie cannot trust them to always use SFTP rather than FTP, is the only way to be secure to double triple check the permissions for the shares allowed to users?


say if someone gets a hold of the 2nd user's credentials, they can only access what 2nd user can access (which while limited is more than what i'm comfortable with), is there no other way of making it more secure in order to prevent this? no other way to ensure 2nd user uses security or they are denied?


sorry if i'm asking you to repeat yourself, but this is a security concern for me.


also come to think of it, nothing prevents the user *sending* credentials in plaintext, ie attempting to login, is there? i am not clear on this but if the 2nd user attempts login with FTP and someone was using a packet sniffer, thats the end of the story right? apologies again if you already answered my question!


thanks

01-04-2008, 05:40 PM

As I understand it, SFTP uses Secure Shell (SSH) as both the transit and encryption method. That being the case, you don't need to run an FTP server at all, just a properly-configured SSH service and the SFTP service. This way, all authentication and file transit traffic is encrypted. If you are running both FTP and SFTP now, try disabling FTP and connecting as you normally do with your SFTP client. If it works, your work is done ;-)

Perry