Subject: Re: additional authentication for ftp
To: Jeremy C. Reed <>
From: Aidan Cully <>
List: current-users
Date: 08/02/2000 20:06:45
Have you looked at rfc 2228?


On Wed, Aug 02, 2000 at 04:36:57PM -0700, Jeremy C. Reed wrote:
> I am interested in adding another authentication method for ftpd and the
> ftp client. (So passwords aren't passed as plain text; I don't care if the
> files transferred are not secure.) But I want to make sure this a do-able
> or a good idea and I am not re-inventing the wheel.
> Basically, I want to simply use something like POP3's APOP but use a MD5
> or crypt version of the password instead of the plain text password
> (before the last MD5).
> - The FTP client will send a message to the server saying it has support
>   for the new feature.
> - The FTP server will send a near unique value (server PID, timestamp and
>   FQDN)
> - The FTP client will send the username.
> - The FTP client will make a MD5 sum of the password; and append it to the
>   server-provided string and make a MD5 sum of it and send to the server.
> - The FTP server will grab the MD5-created password from a FTP users
>   password file and also create the above new MD5 sum with the unique
>   string; then it will compare them.
> If the server is to use the standard password (crypt version), then it
> would need to send the two-character salt to the client to use. (Is this a
> bad idea?)
> My questions:
> Is this worthwhile? (Is this useful?)
> Is anything already like this? (Am I reinventing the wheel?)
> How do I go about preparing/submitting an RFC? (Or does it really matter?)
> Thanks for your comments and advice.