Is there any advantage in using an FTPd in a chroot environment over using SFTP that is standard with SSHd?

asked 10 May '10, 16:21

ranxxerox's gravatar image

ranxxerox
6316
accept rate: 66%




If you are transferring content that might have legal, personal, or financial information, make sure your organization understands its liabilities and possible compliance obligations.

The only compelling reasons I can think of are when you have customers that are unable to connect using a ssh/tls/sftp capable client, or they are using an embedded device for ftp, or the security of account credentials is essentially worthless and the data does not contain personally identifiable materials. If you have actual security concerns, do not use ftp and discourage your clients from using it. Anyhow, the benefits of ftp as a protocol have mostly been surpassed by https POST, PUT, and/or webdav.

Of course there are lots of howtos on the Internet providing instructions for things that are not best practice. I wouldn't misconstrue their presence as much wisdom, only prevalence. Password sniffing is easy. Consult SANS and research the topic "defense in depth."

link

answered 11 May '10, 06:23

memnoch_proxy's gravatar image

memnoch_proxy
1413
accept rate: 42%

FTP transmits the password in plain text, so unless you're going over a local network, use SFTP (or some other more secure method).

link

answered 10 May '10, 17:26

mackal's gravatar image

mackal
913
accept rate: 0%

I know that sftp is more secure, I'm looking for reasons to use ftp over sftp because I keep seeing guides and articles about ftp servers and wonder why anyone would go through all that trouble when 99% of linux servers have sftp baked in.

(10 May '10, 23:40) ranxxerox

rssh provides the best of both worlds -> you chroot users, restrict them to just sftp access, lots of good stuff http://www.pizzashack.org/rssh/ ; also, modern versions of openssh support chroot

link

answered 11 May '10, 02:31

Aaron%201's gravatar image

Aaron 1
211
accept rate: 0%

Apart from the obvious differences that ftp is cleartext and sftp is encrypted. FTP is an old technology and people generally recommend moving to newer alternatives such as rssh/ssh/sftp as its implementation is flawed in the modern age. It should be noted FTP uses different ports for control data (TCP: 20) and another port for transferring data (TCP: 21). With organisations using stateful firewalls this can cause issues when trying to transfer data. This is better described in the below link outlining the differences between Active/Passive mode. SFTP only uses one port and does not have these drawbacks.

http://slacksite.com/other/ftp.html

I know this specifically does not answer your question but may be a consideration when you are choosing which to go with.

link

answered 12 May '10, 22:25

gjcwilliams's gravatar image

gjcwilliams
35729
accept rate: 37%

These are two different things. A chroot'ed program runs in a restricted environment, meaning it should not interfere with other parts of the system. This is more in the realm of the OS.

If the data is transferred in open or encrypted is the job of the server software (and what the client can accept). You suggest sftp, but other protocols (https, ssh are othe possibilities).

In short, any program can be chroot'ed. Transferral of the data (open/encrypted) depends on the software (server AND client).

In your case, if users are pulling data from your server, I will recommend sftp (https may also be a possibility and users won't need another client).

If your server is behind a well kept firewall, and the server software is well behaved, you may not need chroot. The cost of chroot is just the installation (recreate the environment, copy files to the chroot'ed new directory structure, remembering to update). It is only done once, and may give you a little more peace of mind.

Sorry it went so long.

link

answered 13 May '10, 23:11

LiquidPaper's gravatar image

LiquidPaper
12113
accept rate: 0%

-1

European beads Chamilia beads Troll beads Biagi beads

  1. Chamilia beads

[URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]European beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Chamilia beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Troll beads[/URL] [URL=http://www.hydiapearl.com/pandora-troll-beads-c-27_657.html]Biagi beads[/URL] [URL=http://www.hydiapearl.com/pandora-beads-c-27_657_42.html]pandora jewelry[/URL]

YOU MUST NOT MISS IT!!! free shipping come best quality guarantee!!

link

answered 13 May '10, 04:17

jeremy's gravatar image

jeremy ♦♦
1.0k1516
accept rate: 37%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×5
×3
×1

Asked: 10 May '10, 16:21

Seen: 3,483 times

Last updated: 13 May '10, 23:11

powered by OSQA