11Steve Frank’s article on Don’t Use FTP has been posted on various social news sites, and I think it is an excellent piece how this 20+ year old protocol should have retired from being the stock standard of transferring files at many web hosting companies. It is not secure (not guaranteed even when FTPS is used), it is a PITA for those setting up firewalls, and it is definitely not the best protocol for developers to automate file transfer. Why many shared hosting companies provide only FTP for file upload is beyond me.
Unless there’s no suitable alternative.
Personally I prefer transferring files over SSH (using either SCP or SFTP). However it too has issues.
- SSH usually has smaller buffer for interactive use. Plus overhead on encryption it usually means lower throughput.
- Many shared hosting companies are unwilling to provide SSH access due to security concerns.
- Setting up per-user jailed SCP/SFTP is not trivial.
For me (3) is the biggest killer. Recently I am setting up file transfer for around 15 friends’ blogs hosted on my server so (1) it authenticates against the WordPress database (2) it chroots to the wwwroot directory. I didn’t have much time so guess what I had done in the end? Pure-FTPd + external auth module written in Python. :(
WebDAV? Totally avoids all the hassle of a system user account, has built in locking support, passes through firewalls neatly and you can use mod_auth whateverthehellyouwant for AAA.
I’ve had problems with dynamic content websites, but you can always run a https copy of the site (with the same docroot) and (e.g.) mod_php disabled.
Not ideal for ISOs maybe, but better than some options.
I haven’t used it, but Scponly looks like an interesting alternative to a full shell account to allow file transfers. It uses the scp/sftp protocol, but doesn’t allow people to get a shell on the box.
Has anyone else tried it?
Thanks. I have actually set up with scponly before and it provides SCP/SFTP access without SSH. It is quite easy to get up and running (included in Gentoo portage and Ubuntu/Debian I think).
However setting up a chroot instance on a per-user basis does leave a lot to be desired.
Yes WebDAV is great — with many client support and you can pretty much do whatever you want on top of Apache stack. Thanks!
Two issues:
I’ll look into it.
FTP is the bane of my existance, often getting hit by dictionary attacks and so on. Although I disagree with your sentiments about FTPS, it uses the same mechanisms as HTTPS so unless you want to pull on that thread I wouldn’t go there if I were you ;)
A lot of FTP clients support FTPS, and as long as you load a suitable root cert, or use a free one like http://www.cacert.org then that should kill off the pop-ups.
Other than that there is also rsync over SSL, although I generally use SCP for everything and no users have SSH access ;)
I wonder if there is a SSH daemon that would lock things down in a similar manner to what most/all ftp servers do with respect to jailing the user.
You could always setup some kind of file management by https ;)
Or you could just look on google…
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
Actually this is a better link, I think
http://gentoo-wiki.com/HOWTO_SFTP_Server_(chrooted,_without_shell)
Of course at the bottom of that link is this link:
http://undeadly.org/cgi?action=article&sid=20080220110039
Where the dev’s of openssh say that openssh 4.9 and later and jail users for sftp (but not scp which is depreciated or something).
Besides the same annoyance as FTP (firewall, no standard output, etc), FTPS was actually not been implemented properly by all servers due to the fact RFC 4217 was only available in 2005. I know some does not even encrypt the data connection but only the control connection.
Also FTPS is FTP + TLS on demand rather than FTP + SSL in the same way HTTPS does encryption. Depending on the client, it might choose to connect even without requiring the TLS capability, which produces a false sense of security…
It’s great to hear and I think per-user SFTP will be very useful and will hopefully persuade hosting companies to migrate from FTP to SFTP for their users. Thanks.
hey
Really nice tips!
will try to keep it in my mind
thanks!