On Fri, Dec 17, 2004 at 09:43:05AM -0800, Nifty Hat Mitch wrote: > I happen to like vsftpd as suggested by Alexander. > You should also know that there are additional ftp choices. > One important one to consider is sftp/sftp-server: This isn't ftp at all - it's ssh with an ftp-like front-end. The File Transfer Protocol (FTP) is well documented in the RFCs and it's clear that sftp doesn't follow this protocol. sftp is an alternative file transfer mechanism but it has a large enough security hole in it (by default) that you can not possibly allow untrusted users to use it. > You should do some additional package searching so you > understand why we recommend vsftpd and also why most > of us turn off almost all forms of ftp and block ftp at > our firewall. Those of us who have to run large production FTP servers do not run vsftpd for non-anonymous connections - it's horribly weak in its configurability and by this nature alone, I consider it a security hole. What it does it may do securely, but again, you can only use vsftpd with a trusted user base. There are far better FTP servers for untrusted clients out there, including wu-ftpd and ProFTPd. Red Hat, even with its enterprise product, has chosen not to provide an enterprise-quality FTP server. -- Ed Wilts, RHCE Mounds View, MN, USA mailto:ewilts@xxxxxxxxxx Member #1, Red Hat Community Ambassador Program
