Subject: additional authentication for ftp
To: None <>
From: Jeremy C. Reed <>
List: current-users
Date: 08/02/2000 16:36:57
I am interested in adding another authentication method for ftpd and the
ftp client. (So passwords aren't passed as plain text; I don't care if the
files transferred are not secure.) But I want to make sure this a do-able
or a good idea and I am not re-inventing the wheel.

Basically, I want to simply use something like POP3's APOP but use a MD5
or crypt version of the password instead of the plain text password
(before the last MD5).

- The FTP client will send a message to the server saying it has support
  for the new feature.
- The FTP server will send a near unique value (server PID, timestamp and
- The FTP client will send the username.
- The FTP client will make a MD5 sum of the password; and append it to the
  server-provided string and make a MD5 sum of it and send to the server.
- The FTP server will grab the MD5-created password from a FTP users
  password file and also create the above new MD5 sum with the unique
  string; then it will compare them.

If the server is to use the standard password (crypt version), then it
would need to send the two-character salt to the client to use. (Is this a
bad idea?)

My questions:

Is this worthwhile? (Is this useful?)

Is anything already like this? (Am I reinventing the wheel?)

How do I go about preparing/submitting an RFC? (Or does it really matter?)

Thanks for your comments and advice.

   Jeremy C. Reed