why would using "sftp" require disabling "vsftpd"?
Matthew Miller
mattdm at fedoraproject.org
Fri Feb 7 05:55:18 UTC 2014
On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote:
> "For SSH to be truly effective, using insecure connection protocols
> should be prohibited. Otherwise, a user's password may be protected
> using SSH for one session, only to be captured later while logging in
> using Telnet. Some services to disable include telnet, rsh, rlogin,
> and vsftpd."
>
> never having used sftp before, i'm confused ... isn't sftp simply a
> secure ftp client? and if so, why would one want to disable vsftpd? i
> would still need an ftp server, would i not? can someone clarify what
> that passage is saying? thanks.
sftp is actually a completely different protocol -- it does file transfer
over an ssh channel established on the ssh port. This encrypts any passwords
in transit, or can be used with ssh keys so passwords are not ever used.
By contrast, despite having the substring sftp in its name, vsftpd is a
standard FTP server and by default transmits any passwords in plain text.
Although to add some complication, vsftpd supports SSL, which is a
relatively recent extension to the FTP protocol and may not work with all
traditional ftp clients.
If you are using passwords with sftp or with vsftpd over ssl, your security
exposure will be roughly the same. Or, if you are using vsftpd simply to
provide anonymous FTP and no one is logging in with passwords, the two can
simply coexist in different roles. The documentation means to warn you that
vsftpd in its non-SSL configuration (which is the default, I'm pretty sure),
any passwords or other sensitive information transferred will go in plain
text on the wire (or through the air with wireless, of course).
--
Matthew Miller -- Fedora Project -- <mattdm at fedoraproject.org>
More information about the users
mailing list