Subject: Re: additional authentication for ftp
To: None <current-users@netbsd.org>
From: Peter Seebach <seebs@plethora.net>
List: current-users
Date: 08/02/2000 18:44:50
In message <Pine.LNX.4.21.0008021617510.21388-100000@sigmahosting.com>, "Jeremy
C. Reed" writes:
>I am interested in adding another authentication method for ftpd and the
>ftp client. (So passwords aren't passed as plain text; I don't care if the
>files transferred are not secure.) But I want to make sure this a do-able
>or a good idea and I am not re-inventing the wheel.
Hmm.
You may want to look at the "BSD Authentication" library, most of which I
believe we are allowed to copy from BSD/OS. You might be able to do this
with a wrapper in ftpd, and have the ftp client send a
thing-which-is-not-the-password in plain text.
(e.g., if you can convince the client to hash the password itself, you
can just send a hashed password.)
>- The FTP client will send a message to the server saying it has support
> for the new feature.
>- The FTP server will send a near unique value (server PID, timestamp and
> FQDN)
>- The FTP client will send the username.
>- The FTP client will make a MD5 sum of the password; and append it to the
> server-provided string and make a MD5 sum of it and send to the server.
>- The FTP server will grab the MD5-created password from a FTP users
> password file and also create the above new MD5 sum with the unique
> string; then it will compare them.
This is clearly a superior solution, but requires support on both sides.
>Is this worthwhile? (Is this useful?)
I'd love to have a "secure" ftp. 90% of the time when I use scp (or cat |
ssh) to send files, it's just because I'm worried about the *password*.
>Is anything already like this? (Am I reinventing the wheel?)
VPN's are sort-of-like-this.
>How do I go about preparing/submitting an RFC? (Or does it really matter?)
Not sure about that, but it'd be a good thing to have standardized.
-s