[lug] Is anon ftp upload really bad?
John Hernandez
John.Hernandez at noaa.gov
Wed Apr 24 16:25:02 MDT 2002
Peter Hutnick wrote:
> I DO NOT do FTP other than anon.
>
> I would urge others to use anon uploads (in a safe and sane way) over
> cleartext authenticated FTP any day of the week.
>
I don't quite get it. If you ADD authentication (even reusable
clear-text passwords) to the current (safe and sane) method, how does a
stolen password make you any worse off, provided the account is for ftp
only?
One-time password systems like S/Key and OPIE avoid the common problems
with cleartext passwords by making any given password valid only once.
As mentioned before, this would be an enhancement (not a replacement)
for your existing methods. If the password communicated to the
uploader happens to be intercepted, you would at worst revert to
"anonymous mode" for one session.
--
- John Hernandez - Network Engineer - 303-497-6392 -
| National Oceanic and Atmospheric Administration |
| Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
----------------------------------------------------
More information about the LUG
mailing list