why would using "sftp" require disabling "vsftpd"?

Tim ignored_mailbox at yahoo.com.au
Fri Feb 7 19:01:30 UTC 2014 

Allegedly, on or about 06 February 2014, Robert P. J. Day sent:
> "For SSH to be truly effective, using insecure connection protocols
> should be prohibited. Otherwise, a user's password may be protected
> using SSH for one session, only to be captured later while logging in
> using Telnet. Some services to disable include telnet, rsh, rlogin,
> and vsftpd."
> 
>   never having used sftp before, i'm confused ... isn't sftp simply a
> secure ftp client? and if so, why would one want to disable vsftpd? i
> would still need an ftp server, would i not? can someone clarify what
> that passage is saying? thanks. 

You need to stop people from making connections to anything that allows
the encrypted transmission of passwords.  Hence why removing vsftpd (and
other unsafe protocols).

If unsecure servers are removed, users aren't transmitting their
passwords for all to see.  The user will try to use an unsecure
protocol, it will fail, *and* it will fail *before* they transmit their
password.

i.e.  1.  connection attempt begins
      2.  client sends username in response to server prompts
      3.  client send password in response to server prompts

All of that is done automatically, behind the scenes - it's not the user
waiting for the prompt, the software is doing it.

Just recently, there's been a bit of an overdue push to do this, at long
last, thanks to the number of compromised accounts out there in the
world wide web.  Either by getting rid of unsecure services, or taking
away the unsecure options out of services that can handle multiple
protocols.  Such as setting up mail servers to require encrypted
passwords.  Clients will be stopped before step 3, in my list above,
because the server won't send the prompt the client is waiting for, for
it to send the password.

Unfortunately, it's causing problems for people, because too many
clients are crap at doing anything other than plain logins, a plethora
of alternative methods abound, and people aren't that good at
understanding this.  Now, you see a few clients having more of a guided
tour of configuring them, with a step being to probe the server to see
what it supports, before it asks the user which details to fill in.

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.

More information about the users mailing list