again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
rday
On 02/06/2014 05:38 PM, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
Actually 'sftp' is a special interface to ssh that looks and acts like ftp, but doesn't use the ftp protocol. You do not need to maintain a vsftpd server to support folks using sftp.
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
rday
AFAIK, sftp uses the sshd server, just as does ssh.
On 06.02.2014 23:38, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
rday
Stop reading RHEL7 documentation! You confuse yourself. Learn to distinguish a program(client and server) from a protocol!
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
poma
On Fri, 07 Feb 2014 01:14:05 +0100 poma pomidorabelisima@gmail.com wrote:
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
Sorry, I failed to understand what you meant with this last bit about sum to 13. Care to elaborate, please?
Best, :-) Marko
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
sftp is actually a completely different protocol -- it does file transfer over an ssh channel established on the ssh port. This encrypts any passwords in transit, or can be used with ssh keys so passwords are not ever used.
By contrast, despite having the substring sftp in its name, vsftpd is a standard FTP server and by default transmits any passwords in plain text. Although to add some complication, vsftpd supports SSL, which is a relatively recent extension to the FTP protocol and may not work with all traditional ftp clients.
If you are using passwords with sftp or with vsftpd over ssl, your security exposure will be roughly the same. Or, if you are using vsftpd simply to provide anonymous FTP and no one is logging in with passwords, the two can simply coexist in different roles. The documentation means to warn you that vsftpd in its non-SSL configuration (which is the default, I'm pretty sure), any passwords or other sensitive information transferred will go in plain text on the wire (or through the air with wireless, of course).
On 07Feb2014 00:55, Matthew Miller mattdm@fedoraproject.org wrote:
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
sftp is actually a completely different protocol -- it does file transfer over an ssh channel established on the ssh port. This encrypts any passwords in transit, or can be used with ssh keys so passwords are not ever used.
By contrast, despite having the substring sftp in its name, vsftpd is a standard FTP server and by default transmits any passwords in plain text. Although to add some complication, vsftpd supports SSL, which is a relatively recent extension to the FTP protocol and may not work with all traditional ftp clients.
And, to add confusion, FTP-over-SSL is often refered to as "FTPS". Versus sftp being an ftp-like command line protocol run over ssh.
I've had to deal with people who confused the two.
Cheers,
On 07.02.2014 02:04, Marko Vojinovic wrote:
On Fri, 07 Feb 2014 01:14:05 +0100 poma pomidorabelisima@gmail.com wrote:
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
Sorry, I failed to understand what you meant with this last bit about sum to 13. Care to elaborate, please?
Best, :-) Marko
:) Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
poma
man command in a terminal displays manual pages in Linux.
in a terminal type man sshd_config read the file, then man sftp and read that file and so on. Roger
On 07.02.2014 02:04, Marko Vojinovic wrote:
On Fri, 07 Feb 2014 01:14:05 +0100 poma pomidorabelisima@gmail.com wrote:
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
Sorry, I failed to understand what you meant with this last bit about sum to 13. Care to elaborate, please?
Best, :-) Marko
:) Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
poma
On Fri, 07 Feb 2014 08:30:26 +0100 poma pomidorabelisima@gmail.com wrote:
On 07.02.2014 02:04, Marko Vojinovic wrote:
On Fri, 07 Feb 2014 01:14:05 +0100 poma pomidorabelisima@gmail.com wrote:
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
Sorry, I failed to understand what you meant with this last bit about sum to 13. Care to elaborate, please?
:) Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
Maybe I'm just dense today...
I understood your answer to the OP regarding the difference between protocols, clients and stuff. What I didn't understand was the connection of all that to the statement
5+8+1=13!
I mean, given that 5+8+1=14, am I missing some non-obvious humor here? I really don't get it...
Best, :-) Marko
On Fri, Feb 07, 2014 at 08:30:26AM +0100, poma wrote:
Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
Sure: telnet and telnetd rlogin and rlogind ssh and sshd ftp and ftpd
Which actually makes me surprised there wasn't a `http` client sooner. Not surprisingly, there actually _is_ one in Fedora -- try `yum install /usr/bin/http`. And it actually looks kind of nice. It's got colors. :)
On Thu, 6 Feb 2014, Tim Evans wrote:
On 02/06/2014 05:38 PM, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
Actually 'sftp' is a special interface to ssh that looks and acts like ftp, but doesn't use the ftp protocol. You do not need to maintain a vsftpd server to support folks using sftp.
yes, i realize that now ... having never used sftp before and based on something i clearly misread, i had assumed sftp was simply a more secure ftp client to talk to an *existing* ftp server; i know better now.
and as for the admonition to *not* read RHEL 7 docs, given that RHEL 7 will allegedly be based on fedora 19 (more precisely, what appears to be a mix of fedora 18, 19, and 20), i would think that the current RHEL 7 beta docs online should at least be moderately relevant with respect to fedora.
rday
On 02/06/2014 09:55 PM, Matthew Miller issued this missive:
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
<snip>
By contrast, despite having the substring sftp in its name, vsftpd is a standard FTP server and by default transmits any passwords in plain text.
It's only called "vsftpd" because it's the "very secure FTP daemon". A MUCH better replacement for the old, commonly used wu-ftpd (Washington University FTP daemon), which had a large number of security holes. And yes, it's just an FTP daemon, but one of the few that supports FTPS (FTP over SSL).
As someone else said, sftp (using ssh) is a much more firewall-friendly mechanism and one that does not pass ANYTHING over the link unencrypted. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Have you noticed that "human readable" configuration file - - directives are beginning to resemble COBOL code? - ----------------------------------------------------------------------
On Feb 7, 2014 4:47 AM, "Robert P. J. Day" rpjday@crashcourse.ca wrote:
On Thu, 6 Feb 2014, Tim Evans wrote:
On 02/06/2014 05:38 PM, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
Actually 'sftp' is a special interface to ssh that looks and acts like ftp, but doesn't use the ftp protocol. You do not need to maintain a vsftpd server to support folks using sftp.
yes, i realize that now ... having never used sftp before and based on something i clearly misread, i had assumed sftp was simply a more secure ftp client to talk to an *existing* ftp server; i know better now.
and as for the admonition to *not* read RHEL 7 docs, given that RHEL 7 will allegedly be based on fedora 19 (more precisely, what appears to be a mix of fedora 18, 19, and 20), i would think that the current RHEL 7 beta docs online should at least be moderately relevant with respect to fedora.
rday
This is correct. In fact, many RH writers also volunteer their time in Fedora Docs, and the maintainers of the System Administrators Guide are among the most active Fedora writers. The content is CC-BY-SA both ways, and often freely shared.
Just like with software, your testing and feedback is valuable and appreciated. There are bugzilla components for both RHEL and Fedora documentation. Any report of inaccuracies or requests for clarification/enhancement are welcome, though I do try to watch a few lists for such things too :)
--Pete
Allegedly, on or about 06 February 2014, Robert P. J. Day sent:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
You need to stop people from making connections to anything that allows the encrypted transmission of passwords. Hence why removing vsftpd (and other unsafe protocols).
If unsecure servers are removed, users aren't transmitting their passwords for all to see. The user will try to use an unsecure protocol, it will fail, *and* it will fail *before* they transmit their password.
i.e. 1. connection attempt begins 2. client sends username in response to server prompts 3. client send password in response to server prompts
All of that is done automatically, behind the scenes - it's not the user waiting for the prompt, the software is doing it.
Just recently, there's been a bit of an overdue push to do this, at long last, thanks to the number of compromised accounts out there in the world wide web. Either by getting rid of unsecure services, or taking away the unsecure options out of services that can handle multiple protocols. Such as setting up mail servers to require encrypted passwords. Clients will be stopped before step 3, in my list above, because the server won't send the prompt the client is waiting for, for it to send the password.
Unfortunately, it's causing problems for people, because too many clients are crap at doing anything other than plain logins, a plethora of alternative methods abound, and people aren't that good at understanding this. Now, you see a few clients having more of a guided tour of configuring them, with a step being to probe the server to see what it supports, before it asks the user which details to fill in.
On 07.02.2014 10:08, Marko Vojinovic wrote:
On Fri, 07 Feb 2014 08:30:26 +0100 poma pomidorabelisima@gmail.com wrote:
On 07.02.2014 02:04, Marko Vojinovic wrote:
On Fri, 07 Feb 2014 01:14:05 +0100 poma pomidorabelisima@gmail.com wrote:
Secure File Transfer Protocol /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server
man 5 sshd_config man 8 sftp-server man 1 sftp
5+8+1=13!
Sorry, I failed to understand what you meant with this last bit about sum to 13. Care to elaborate, please?
:) Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
Maybe I'm just dense today...
I understood your answer to the OP regarding the difference between protocols, clients and stuff. What I didn't understand was the connection of all that to the statement
5+8+1=13!
I mean, given that 5+8+1=14, am I missing some non-obvious humor here? I really don't get it...
Best, :-) Marko
The summands - the left side: "The partition numbers are counted from one, not from zero …" The sum - from the right side of the expression: "The number ‘0’ is the drive number, which is counted from zero." :) Actually the one on the left side is the surplus resulting due to improper naming scheme(sftp), compared to the previous two.
poma
On 07.02.2014 19:15, Pete Travis wrote:
On Feb 7, 2014 4:47 AM, "Robert P. J. Day" rpjday@crashcourse.ca wrote:
On Thu, 6 Feb 2014, Tim Evans wrote:
On 02/06/2014 05:38 PM, Robert P. J. Day wrote:
again, reading RHEL 7-beta docs and here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
one reads:
"For SSH to be truly effective, using insecure connection protocols should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet. Some services to disable include telnet, rsh, rlogin, and vsftpd."
never having used sftp before, i'm confused ... isn't sftp simply a secure ftp client? and if so, why would one want to disable vsftpd? i would still need an ftp server, would i not? can someone clarify what that passage is saying? thanks.
Actually 'sftp' is a special interface to ssh that looks and acts like ftp, but doesn't use the ftp protocol. You do not need to maintain a vsftpd server to support folks using sftp.
yes, i realize that now ... having never used sftp before and based on something i clearly misread, i had assumed sftp was simply a more secure ftp client to talk to an *existing* ftp server; i know better now.
and as for the admonition to *not* read RHEL 7 docs, given that RHEL 7 will allegedly be based on fedora 19 (more precisely, what appears to be a mix of fedora 18, 19, and 20), i would think that the current RHEL 7 beta docs online should at least be moderately relevant with respect to fedora.
rday
This is correct. In fact, many RH writers also volunteer their time in Fedora Docs, and the maintainers of the System Administrators Guide are among the most active Fedora writers. The content is CC-BY-SA both ways, and often freely shared.
Just like with software, your testing and feedback is valuable and appreciated. There are bugzilla components for both RHEL and Fedora documentation. Any report of inaccuracies or requests for clarification/enhancement are welcome, though I do try to watch a few lists for such things too :)
Excusez-moi, this is Community support for *Fedora* users list, *not* an "Rhel7-peap" list. So *this* documentation is relevant - complete or not, http://docs.fedoraproject.org/en-US/index.html And the documentation was not a problem. :) It should be read with understanding!
poma
On 07.02.2014 10:36, Matthew Miller wrote:
On Fri, Feb 07, 2014 at 08:30:26AM +0100, poma wrote:
Thanks for asking! Actually with that phrase I stress somewhat of a misnomer for the program - "sftp". Some kind of comparison would be, if something like a web browser gets the name as "http".
Sure: telnet and telnetd rlogin and rlogind ssh and sshd ftp and ftpd
Which actually makes me surprised there wasn't a `http` client sooner. Not surprisingly, there actually _is_ one in Fedora -- try `yum install /usr/bin/http`. And it actually looks kind of nice. It's got colors. :)
A colorized curl! :) BTW 'HTTPie' is a cool name, why change it in 'http'!?
The [d]aemons ending with 'd' regarding a naming scheme are OK, e.g. /usr/sbin/smb[d] /usr/sbin/ssh[d] /usr/sbin/http[d] /usr/sbin/vsftp[d] /usr/sbin/rpc.gss[d] /usr/sbin/rpc.nfs[d] /usr/kerberos/sbin/ftp[d] /usr/kerberos/sbin/telnet[d] others with original names, e.g. /usr/sbin/dropbear and other less original, e.g /usr/libexec/openssh/sftp-server are also OK.
The clients who distinguish from the protocols are also OK, e.g. /usr/bin/lynx /usr/bin/lftp /usr/bin/links /usr/bin/elinks /usr/bin/putty /usr/bin/puttytel /usr/bin/dbclient /usr/bin/smbclient
All other apparently confuse people! :)
poma
On Fri, 7 Feb 2014, Pete Travis wrote:
... snip valuable context related to "sftp" ... :-)
... In fact, many RH writers also volunteer their time in Fedora Docs, and the maintainers of the System Administrators Guide are among the most active Fedora writers. The content is CC-BY-SA both ways, and often freely shared.
Just like with software, your testing and feedback is valuable and appreciated. There are bugzilla components for both RHEL and Fedora documentation. Any report of inaccuracies or requests for clarification/enhancement are welcome, though I do try to watch a few lists for such things too :)
FYI, i'm currently poring over the RHEL 7-Beta docs online and submitting numerous BZ reports as i'm teaching a local fedora admin course locally in a couple weeks (fedora 19, specifically), and i plan on using some of the RHEL 7-Beta docs as course material since so much of it is:
* very well written * relevant for fedora 19
so, yes, i'm doing my part to make the docs better. always happy to help. :-)
rday
-
Cameron Simpson -
Fred Smith -
Joe Zeff -
Marko Vojinovic -
Matthew Miller -
Pete Travis -
poma -
Rick Stevens -
Robert P. J. Day -
Roger -
Tim -
Tim Evans