why would using "sftp" require disabling "vsftpd"?

Patrick Kobly patrick at kobly.com
Fri Feb 7 16:33:19 UTC 2014 

Robert,

I figured I would reply to this, as it seems the responses you have received so far have lacked clarity (or haven't included all of the relevant information).

There are two commonly used protocols that are functionally equivalent to FTP but use encrypted channels.  They are:

SFTP (SSH File Transfer Protocol) - http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
FTPS (FTP Over SSL) - http://en.wikipedia.org/wiki/FTPS

On the server side:
The package vsftpd does not implement SFTP.  It implements FTP (non-encrypted) and FTPS.
OpenSSH (provided by openssh-server) implements the server-side of SFTP.  It does not implement FTPS.

On the client side:
curl (provided by curl) and lftp (provided by lftp) van both act as clients for FTPS.
sftp (provided by openssh-clients) and a wide variety of other file transfer programs act as clients for SFTP

While both of these protocols provide roughly equivalent protection for ensuring that credentials are not passed in cleartext, SFTP has a couple major security advantages.  a) public key client authentication, so your password doesn't need to be used, b) It is _much_ more firewall friendly, as it doesn't establish separate dynamic data connections.

PK



-----Original message-----
From:	Robert P. J. Day <rpjday at crashcourse.ca>
Sent:	Thu 06-02-2014 15:38
Subject:	why would using "sftp" require disabling "vsftpd"?
To:	Fedora Users List <users at lists.fedoraproject.org>; 
> 
>   again, reading RHEL 7-beta docs and here:
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Be
> ta/html/System_Administrators_Guide/s1-ssh-configuration.html
> 
> one reads:
> 
> "For SSH to be truly effective, using insecure connection protocols
> should be prohibited. Otherwise, a user's password may be protected
> using SSH for one session, only to be captured later while logging in
> using Telnet. Some services to disable include telnet, rsh, rlogin,
> and vsftpd."
> 
>   never having used sftp before, i'm confused ... isn't sftp simply a
> secure ftp client? and if so, why would one want to disable vsftpd? i
> would still need an ftp server, would i not? can someone clarify what
> that passage is saying? thanks.
> 
> rday
> 
> -- 
> 
> ========================================================================
> Robert P. J. Day                                 Ottawa, Ontario, CANADA
>                         http://crashcourse.ca
> 
> Twitter:                                       http://twitter.com/rpjday
> LinkedIn:                               http://ca.linkedin.com/in/rpjday
> ========================================================================
> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>

More information about the users mailing list