Subject: additional authentication for ftp
To: None <firstname.lastname@example.org>
From: Jeremy C. Reed <email@example.com>
Date: 08/02/2000 16:36:57
I am interested in adding another authentication method for ftpd and the
ftp client. (So passwords aren't passed as plain text; I don't care if the
files transferred are not secure.) But I want to make sure this a do-able
or a good idea and I am not re-inventing the wheel.
Basically, I want to simply use something like POP3's APOP but use a MD5
or crypt version of the password instead of the plain text password
(before the last MD5).
- The FTP client will send a message to the server saying it has support
for the new feature.
- The FTP server will send a near unique value (server PID, timestamp and
- The FTP client will send the username.
- The FTP client will make a MD5 sum of the password; and append it to the
server-provided string and make a MD5 sum of it and send to the server.
- The FTP server will grab the MD5-created password from a FTP users
password file and also create the above new MD5 sum with the unique
string; then it will compare them.
If the server is to use the standard password (crypt version), then it
would need to send the two-character salt to the client to use. (Is this a
Is this worthwhile? (Is this useful?)
Is anything already like this? (Am I reinventing the wheel?)
How do I go about preparing/submitting an RFC? (Or does it really matter?)
Thanks for your comments and advice.
Jeremy C. Reed