why would using "sftp" require disabling "vsftpd"?
Cameron Simpson
cs at zip.com.au
Fri Feb 7 06:48:16 UTC 2014
On 07Feb2014 00:55, Matthew Miller <mattdm at fedoraproject.org> wrote:
> On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
> > "For SSH to be truly effective, using insecure connection protocols
> > should be prohibited. Otherwise, a user's password may be protected
> > using SSH for one session, only to be captured later while logging in
> > using Telnet. Some services to disable include telnet, rsh, rlogin,
> > and vsftpd."
> >
> > never having used sftp before, i'm confused ... isn't sftp simply a
> > secure ftp client? and if so, why would one want to disable vsftpd? i
> > would still need an ftp server, would i not? can someone clarify what
> > that passage is saying? thanks.
>
> sftp is actually a completely different protocol -- it does file transfer
> over an ssh channel established on the ssh port. This encrypts any passwords
> in transit, or can be used with ssh keys so passwords are not ever used.
>
> By contrast, despite having the substring sftp in its name, vsftpd is a
> standard FTP server and by default transmits any passwords in plain text.
> Although to add some complication, vsftpd supports SSL, which is a
> relatively recent extension to the FTP protocol and may not work with all
> traditional ftp clients.
And, to add confusion, FTP-over-SSL is often refered to as "FTPS".
Versus sftp being an ftp-like command line protocol run over ssh.
I've had to deal with people who confused the two.
Cheers,
--
Cameron Simpson <cs at zip.com.au>
Fine: a tax on doing wrong.
Tax: a fine on doing well.
More information about the users
mailing list