[lug] Is anon ftp upload really bad?

Peter Hutnick peter-lists at hutnick.com
Wed Apr 24 16:38:32 MDT 2002

Hash: SHA1

On Wednesday 24 April 2002 04:25 pm, John Hernandez wrote:
> Peter Hutnick wrote:
> > I DO NOT do FTP other than anon.
> >
> > I would urge others to use anon uploads (in a safe and sane way) over
> > cleartext authenticated FTP any day of the week.
> I don't quite get it.  If you ADD authentication (even reusable
> clear-text passwords) to the current (safe and sane) method, how does a
> stolen password make you any worse off, provided the account is for ftp
> only?

I guess I don't know of any kind of authenticated anonymous FTP.  The two 
sound mutually exclusive to me.

I don't see how using a password in this case is any improvement, and the 
whole point is to make it easy.  If I didn't care if the uploader had to 
authenticate I would just have him use SCP . . .

> One-time password systems like S/Key and OPIE avoid the common problems
> with cleartext passwords by making any given password valid only once.
>   As mentioned before, this would be an enhancement (not a replacement)
> for your existing methods.  If the password communicated to the
> uploader happens to be intercepted, you would at worst revert to
> "anonymous mode" for one session.

I guess that is useful to some people.  I don't see a benefit to using 
passwords that you are going to assume to be compromised.

To say it another way, I don't see any use in a half-measure.  Either rely on 
authentication (and IMO cleartext isn't authentication, since, as you allude 
to, you basically have to assume the passwords to be compromised) or don't.  
Using untrusted authentication on top of an otherwise secure system seems to 
be the worst of both worlds to me.

- -Peter

- -- 
/"\ ASCII Ribbon campaign against HTML e-mail
\ /
 X   Get my PGP key at http://hutnick.com/pgp
/ \  6128 5651 6F23 EC17 6EBD  737D 960A 20E6 76CA 8A59
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the LUG mailing list