Results 1 to 12 of 12
  1. #1
    Join Date
    Mar 2002
    Location
    illinois
    Posts
    29

    SecureFTP (SFTP) v. SSH

    It seems that most web host advise users to FTP their site but doesn't that put the user's user nmae and password at risk like this excerpt says:
    From:
    http://www.itc.virginia.edu/desktop/...refx.html#sftp
    >>>>
    FTP
    by itself is not secure. This means that your login i.d. and password can be "captured" by anyone as it goes from one machine to another. Even if the information that is being transferred is for public consumption, the fact that your login/password pair can be read is a serious risk. If that information is nabbed by a malicious intruder, that individual could not only make a mess of your home directory.
    >>>>
    Are web host using Secure FTP and SSH to avoid this security vulnerability?

  2. #2
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    Precisely why it's silly for admins that offer SSH, FTP, and POP3 to turn telnet off.

    POP3 passwords are transmitted a lot more frequently than any others, yet those are completely insecure just like FTP and Telnet.
    <!-- boo! -->

  3. #3
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Most hosts that provide shell access provide access via SSH as an option. SCP - secure cp - operates over the same SSH protocol, so if the host offers SSH, you are all set.

    Just add client software, and water...
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  4. #4
    Join Date
    Mar 2002
    Location
    illinois
    Posts
    29
    What client software would you recommend for SCP?
    WinSCP?
    PuTTY?
    pscp?

    And for SSH itself - what about SecureCRT?

  5. #5
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    I've been using WinSCP and Putty for SSH. I have putty scripted to upload code from my desktop as well.

    Others have their own preferences - SecureCRT seems to get lots of applause.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  6. #6
    PuTTY is a fantastic tool, it's simple and best of all, it's free.

    SecureCRT is nice too, it has more options but isn't free. If all you need to do is SSH then I'd suggest you use PuTTY.

  7. #7
    Join Date
    Nov 2001
    Location
    California
    Posts
    1,991
    I like putty alot.

  8. #8
    Join Date
    Mar 2001
    Location
    Connecticut, US
    Posts
    779
    Originally posted by DizixCom
    Precisely why it's silly for admins that offer SSH, FTP, and POP3 to turn telnet off.

    POP3 passwords are transmitted a lot more frequently than any others, yet those are completely insecure just like FTP and Telnet.

    Yup, that's why I use POP3-SSL. No more clear-text passwords when I check mail.

  9. #9
    The average user is going to be turned off when you tell them you don't offer FTP. Most people don't even like to use a number in their password, how are they going to react when I tell them they can't use their FTP program, or they have to tunnel over SSH?

    Also, I don't feel too silly for offering FTP and not Telnet. I don't give anyone a shell, so if someone grabs a FTP password, they'll have to work a bit harder to get shell. If they got a Telent pass, well, shell is a little easier road for them, and root isn't that hard from shell for anyone.

    Basically, it's all a tradeoff. The most secure server in the world is turned off, disconnected from any network. And you'll have no customers. It's all downhill from there, security wise.

  10. #10
    Join Date
    Mar 2001
    Location
    Connecticut, US
    Posts
    779
    Originally posted by driverdave
    ...The most secure server in the world is turned off, disconnected from any network. ...

    It may not be secure if it is not in a physically secure location. A powered-down server can be stolen.

  11. #11
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    Also, I don't feel too silly for offering FTP and not Telnet. I don't give anyone a shell, so if someone grabs a FTP password, they'll have to work a bit harder to get shell. If they got a Telent pass, well, shell is a little easier road for them, and root isn't that hard from shell for anyone.
    If you read what I said, I specifically stated that it's silly for hosts that offer SSH (read, shell access via ssh) in combination with FTP and POP3 to turn telnet off as their is no point. And if it's easy for anyone to get root just from a shell then you have serious issues to work out. I am fairly confident that if someone gained regular user shell access to any of my servers, they'd not be able to get root no matter how hard they try. Naturally I can't be 100% certain, but I am pretty darned sure.

    Using POP3-SSL is an excellent idea for everyone, as well as using SFTP, but that is end user responsibility in my oppinion. Not something we can easily enforce as a hosting provider because they are not mainstream enough to be accepted.
    <!-- boo! -->

  12. #12
    Join Date
    Mar 2001
    Location
    Connecticut, US
    Posts
    779
    Originally posted by DizixCom
    ...Using POP3-SSL is an excellent idea for everyone, as well as using SFTP, but that is end user responsibility in my oppinion. Not something we can easily enforce as a hosting provider because they are not mainstream enough to be accepted.
    Doesn't Outlook Distress support POP3-SSL? If so, that about as mainstream as you can get.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •