[WEB4LIB] Need for secure file transfer?

Mark Pecaut pecautm at missouri.edu
Wed Dec 6 15:00:17 EST 2000


On Wed, Dec 06, 2000 at 11:15:17AM -0800, Jennifer Heise wrote:
> Got a question for you all. Are your campuses/sites working on
> converting
> from regular FTP/publishing to 'secure file transfer' where passwords,
> etc. are encoded at the user end? Our campus is phasing out ordinary
> telnet and ftp access to all major machines (both SGI and iBM-AIX),
> as well as non-secure passworded web access (done via .htaccess on our
> Apache web server). Apparently this is due to the existence of a LINUX
> application that can sniff passwords on the local subnet.

Applications like this exist for Windows and probably every other
operating system. The problem is that the password is sent as
plain-text over the network, not the existence of a network sniffer
for linux.

> 
> Have you found any web design programs that incorporate 'secure file
> transfer'? We've just taught a bunch of people to use Dreamweaver's
> Site management and are dismayed to find that soon the uploading will
> no longer work!

You should be comforted by the fact that it will be harder for 
crackers to deface your website by stealing your password.

If these programs use standard ftp, they can be used over ssh (secure
shell) with ssh's port forwarding features.  The only thing is that 
the server admins must still allow ftp from the server itself (use tcp
wrappers or a firewall or something like that).  

Here is the way this works:
1) You tell your ssh program to forward ports 21 and 20 from your computer
to your server. (ftp runs over ports 20 and 21). 
2) You login to your server with ssh.  
3) You ftp to `localhost'.  Here you are ftping to your ssh program, which
is forwarding the request to the server for you.  The server
thinks someone logged in locally is trying to connect (true), so it allows
the connection.  The password is safe.  

You should probably discuss this with the server administrators

By the way, I think you are lucky to have what sounds like very 
compentent server admins.  I am familiar with several servers
with very stupid administrators.  These systems are just asking
to be broken into.

-Mark 


More information about the Web4lib mailing list