Have you looked at rfc 2228?

--aidan

On Wed, Aug 02, 2000 at 04:36:57PM -0700, Jeremy C. Reed wrote:
> I am interested in adding another authentication method for ftpd and the
> ftp client. (So passwords aren't passed as plain text; I don't care if the
> files transferred are not secure.) But I want to make sure this a do-able
> or a good idea and I am not re-inventing the wheel.
> 
> Basically, I want to simply use something like POP3's APOP but use a MD5
> or crypt version of the password instead of the plain text password
> (before the last MD5).
> 
> - The FTP client will send a message to the server saying it has support
>   for the new feature.
> - The FTP server will send a near unique value (server PID, timestamp and
>   FQDN)
> - The FTP client will send the username.
> - The FTP client will make a MD5 sum of the password; and append it to the
>   server-provided string and make a MD5 sum of it and send to the server.
> - The FTP server will grab the MD5-created password from a FTP users
>   password file and also create the above new MD5 sum with the unique
>   string; then it will compare them.
> 
> If the server is to use the standard password (crypt version), then it
> would need to send the two-character salt to the client to use. (Is this a
> bad idea?)
> 
> My questions:
> 
> Is this worthwhile? (Is this useful?)
> 
> Is anything already like this? (Am I reinventing the wheel?)
> 
> How do I go about preparing/submitting an RFC? (Or does it really matter?)
> 
> Thanks for your comments and advice.