[lug] Is anon ftp upload really bad?
Peter Hutnick
peter-lists at hutnick.com
Wed Apr 24 16:38:32 MDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 24 April 2002 04:25 pm, John Hernandez wrote:
> Peter Hutnick wrote:
> > I DO NOT do FTP other than anon.
> >
> > I would urge others to use anon uploads (in a safe and sane way) over
> > cleartext authenticated FTP any day of the week.
>
> I don't quite get it. If you ADD authentication (even reusable
> clear-text passwords) to the current (safe and sane) method, how does a
> stolen password make you any worse off, provided the account is for ftp
> only?
I guess I don't know of any kind of authenticated anonymous FTP. The two
sound mutually exclusive to me.
I don't see how using a password in this case is any improvement, and the
whole point is to make it easy. If I didn't care if the uploader had to
authenticate I would just have him use SCP . . .
> One-time password systems like S/Key and OPIE avoid the common problems
> with cleartext passwords by making any given password valid only once.
> As mentioned before, this would be an enhancement (not a replacement)
> for your existing methods. If the password communicated to the
> uploader happens to be intercepted, you would at worst revert to
> "anonymous mode" for one session.
I guess that is useful to some people. I don't see a benefit to using
passwords that you are going to assume to be compromised.
To say it another way, I don't see any use in a half-measure. Either rely on
authentication (and IMO cleartext isn't authentication, since, as you allude
to, you basically have to assume the passwords to be compromised) or don't.
Using untrusted authentication on top of an otherwise secure system seems to
be the worst of both worlds to me.
- -Peter
- --
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
X Get my PGP key at http://hutnick.com/pgp
/ \ 6128 5651 6F23 EC17 6EBD 737D 960A 20E6 76CA 8A59
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8xzPplgog5nbKilkRAnJFAJ9GykXvPDHAfhGPcL3xnbC90N4pnwCeJN7d
QntQzaC9m2FYGC8o4EUpsVg=
=OoJc
-----END PGP SIGNATURE-----
More information about the LUG
mailing list