Subject: Re: additional authentication for ftp
To: None <>
From: Peter Seebach <>
List: current-users
Date: 08/02/2000 18:44:50
In message <>, "Jeremy
 C. Reed" writes:
>I am interested in adding another authentication method for ftpd and the
>ftp client. (So passwords aren't passed as plain text; I don't care if the
>files transferred are not secure.) But I want to make sure this a do-able
>or a good idea and I am not re-inventing the wheel.


You may want to look at the "BSD Authentication" library, most of which I
believe we are allowed to copy from BSD/OS.  You might be able to do this
with a wrapper in ftpd, and have the ftp client send a
thing-which-is-not-the-password in plain text.

(e.g., if you can convince the client to hash the password itself, you
can just send a hashed password.)

>- The FTP client will send a message to the server saying it has support
>  for the new feature.
>- The FTP server will send a near unique value (server PID, timestamp and
>  FQDN)
>- The FTP client will send the username.
>- The FTP client will make a MD5 sum of the password; and append it to the
>  server-provided string and make a MD5 sum of it and send to the server.
>- The FTP server will grab the MD5-created password from a FTP users
>  password file and also create the above new MD5 sum with the unique
>  string; then it will compare them.

This is clearly a superior solution, but requires support on both sides.

>Is this worthwhile? (Is this useful?)

I'd love to have a "secure" ftp.  90% of the time when I use scp (or cat |
ssh) to send files, it's just because I'm worried about the *password*.

>Is anything already like this? (Am I reinventing the wheel?)

VPN's are sort-of-like-this.

>How do I go about preparing/submitting an RFC? (Or does it really matter?)

Not sure about that, but it'd be a good thing to have standardized.