[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ProFTP Forever Broken? (was Re: oBSD ftpd query)

You're better off using ssh and scp if you want to avoid insecure password


-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
Sent: Thursday, September 16, 1999 3:44 PM
To: Theo de Raadt
Cc: misc@openbsd.org
Subject: Re: ProFTP Forever Broken? (was Re: oBSD ftpd query)

At 04:17 PM 9/16/99 -0600, Theo de Raadt wrote:
>> I rather suspet I'm going to have to break down and do same.  My FTP
>> runs FreeBSD though.  The ProFTP folks have been scrambling to close
>> hole after another for the past couple weeks.  Seems like the Dutch Boy
>> with his finger in the Dike syndrome.  I read somewhere that it was
>> doubtful ProFTP woud ever be secure without a total rewrite/redesign of
>> code, which is a shame becasue it is otherwise way cool.  Any of you
>> security guru's have an opinion on this?
>My opinion is that, seeing as they've not done a proactive audit
>(which means, sit down for three weeks and LEARN secure coding from
>scratch), it's the wrong daemon to run.
>At least Eric finally got to the point where he learned to be proactive
>with regards to sendmail.  These guys have not grabbed the clue stick

So what might you suggest that I can run on my FreeBSD box, wu-ftp?  I dig
the mod_mysql integration of ProFTP, but am unaware of how to implement
something like this on my own and I don't know C.  Really nice to not
authenticate via UNIX passwords though...


The package said "Requires Win95/NT or better", so I installed in on