- Are FTP Clients on unix boxes turned off?
- Posted by Divakar on February 3rd, 2005
In one of my assignments, we are trying to propose a solution involving
using ftp clients on unix boxes. I am trying to poll this group to see
how unix sysadmins typically look at ftp clients on a unix box.
1. First of all, Are ftp clients available by default on all main unix
platforms ? (Aix, Solaris, HPUX, Linux etc.)
2. Do sysadmins perceive using ftp clients on unix boxes as a security
threat of some sort.
Any comments in this area will be appreciated.
Divakar
- Posted by Laurenz Albe on February 3rd, 2005
Divakar <divakar.j@gmail.com> wrote:
What kind of assignment? Homework? Or are you a consultant?
Both is frequently a sign of cluelessness :^)
Usually yes. On some systems you get a choice, but the FTP client is
always on the install media.
The only problem I see with an FTP client is that it sends data and
passwords unencrypted. If you are in an environment where there is danger
of people sniffing network traffic for passwords, it is better to use
something else.
Still you want to have an FTP client on your system, for example to do
anonymous ftp to download sites.
Yours,
Laurenz Albe
- Posted by Michael Heiming on February 3rd, 2005
In comp.unix.admin Divakar <divakar.j@gmail.com>:
Homework?
Yep, even if can't be guaranteed, as many *nix boxes are
installed auto-magically with net booting through one or another
vendor dependent variant, allowing for heavily customized
installations.
Yep, standard ftp has no security at all and should be used for
anonymous ftp/tftp/etc only.
Use sftp/scp instead.
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 79: Look, buddy: Windows 3.1 IS A General
Protection Fault.
- Posted by Dave Hinz on February 3rd, 2005
On 2 Feb 2005 20:45:19 -0800, Divakar <divakar.j@gmail.com> wrote:
I prefer to use ssh-enabled services, like scp.
Yes.
Well, yes. The traffic, including the username and password, are passed
in clear text and can be sniffed/snooped. In an environment where
security isn't important (are there any?) that's not a problem. But,
when scp is also readily available, free, and secure, and as easy
if not easier to use interactively or in a script.
Thank you for mentioning this is homework; saying so gets a much
better response than the people who try to pretend it's not.
Dave Hinz
- Posted by Dave Hinz on February 3rd, 2005
On Thu, 3 Feb 2005 08:36:46 +0000 (UTC), Laurenz Albe <albe@culturallNOSPAM.com> wrote:
Pretty harsh, Laurenz. He asked a well-formulated, intelligent
question, and was up-front about it being an assignment of some sort.
- Posted by Ulrich Herbst on February 3rd, 2005
"Divakar" <divakar.j@gmail.com> writes:
On most unix systems, there are ftp clients installed. But, as said in
other answers, too: This isn't guarantied.
No. I haven't anything against clients. But I don't want ftp servers
on my servers running. Clients are insecure for the servers.
--
'''
(0 0)
+------oOO----(_)--------------+
| |
| Ulrich Herbst |
| |
| Ulrich.Herbst@gmx.de |
+-------------------oOO--------+
|__|__|
|| ||
ooO Ooo
- Posted by Doug Freyburger on February 3rd, 2005
Dave Hinz wrote:
Including sftp.
Clear passwords aren't an issue with the s* ones.
The biggest issue with running FTP is downloading problem
files. That's a user training problem not a techical one.
Agreed.
- Posted by Timothy J. Bogart on February 3rd, 2005
Dave Hinz wrote:
The only thing I would add would be the probability of decreasing
cluelessness is somewhat better for the student. Marginally. 8-)
- Posted by Dave Hinz on February 3rd, 2005
On Thu, 03 Feb 2005 12:59:29 -0700, Timothy J. Bogart <tbogart@frii.net> wrote:
His question, yes. The followup, not so much.
Whatever. Guy was honest with us and asked a good question.
- Posted by Timothy J. Bogart on February 3rd, 2005
Divakar wrote:
Do you really want to know about ftp? Or do you really want to know if
ftp is the right approach for your 'problem'?
Kind of hard to help you there since you didn't share the problem.
- Posted by Mark Rafn on February 3rd, 2005
Divakar <divakar.j@gmail.com> wrote:
Generally this is a bad place to ask homework questions, but this one is
specific, interesting, and not asked every week - nice job 
Does the assignment specify use of FTP, or is this negotiable? FTP is an
annoying protocol network-wise (lack of encryption, use of multiple
connections), and should probably be avoided if possible. Command-line
HTTP or SSH clients like wget or scp are somewhat less available out of
the box, but can be added to almost all systems, and allow you better
security, scriptability, and flexibility in network firewalling.
Mostly, yes, for default installs of the OS. The server is usually disabled,
but the client is usually there if any client network tools are. Like any
specific, this is only "mostly", there are no guarantees.
Smart sysadmins discourage its use, but it's not a threat in itself. It may
be removed as part of a "remove EVERYTHING that you don't absolutely need"
policy, which has some value.
Passwords are generally sent plaintext in FTP, so it's not considered even a
vaguely secure protocol. There are newer versions that encrypt the
authentication, but most of what you'll find installed by default won't.
--
Mark Rafn dagon@dagon.net <http://www.dagon.net/>
- Posted by Dave Hinz on February 4th, 2005
On Thu, 3 Feb 2005 14:28:33 -0800, Mark Rafn <dagon@dagon.net> wrote:
How do I remove a file with a space in it's name? (sorry...)
- Posted by Barry Margolin on February 4th, 2005
In article <1107449931.788623.264040@z14g2000cwz.googlegroups .com>,
"Doug Freyburger" <dfreybur@yahoo.com> wrote:
That same problem exists if you use something other than an FTP client
to perform the download. It's not FTP that's the problem, it's the
general issue of downloading malware by any means.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
- Posted by Laurenz Albe on February 4th, 2005
Dave Hinz <DaveHinz@spamcop.net> wrote:
Yes, and I apologise for letting my witticisms get the better of me.
I hope to have made some amends by giving a reasonable answer.
Yours,
Laurenz Albe
- Posted by Stefaan A Eeckels on February 4th, 2005
On 2 Feb 2005 20:45:19 -0800
"Divakar" <divakar.j@gmail.com> wrote:
Traditionally, Unix systems come with a command-line FTP
client. Don't forget that browsers are also FTP clients.
Clients usually don't allow access to the machine on which they
run, but FTP is an exception because in PORT mode at least,
the _client_ opens a port for the server to connect to. So
theoretically, a vulnerability in the client might allow a compromised
FTP server access to the client's host. I've not heard of exploits
though.
There are many good reasons for not using FTP, the
most obvious being the plain-text passwords, which are especially
problematic because traditionally FTP servers use the OS
credentials (thus giving login access to a system). Systems
using the FTP protocol, but with their own credentials are
less problematic, especially if they are designed such that
the availability of the FTP login/password doesn't give
access to the data used by the system, and/or that data is
encrypted. In these circumstances using FTP can make life
easier because network administrators typically have less
problems allowing well-known protocols through their routers
than unknown, custom designed protocols (better the devil
you know, etc.). Such a system would typically not use the
standard client, but include their own clients (or at least
provide a wrapper around the standard client allowing
some form of automated use).
Take care,
--
Stefaan
--
As complexity rises, precise statements lose meaning,
and meaningful statements lose precision. -- Lotfi Zadeh
