>Number:         12602
>Category:       bin
>Synopsis:       want command-line option to apply ftpusers(5) rules after USER instead of PASS
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 10 14:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Rob Windsor
>Release:        irrelevant
>Organization:
Nose Pickers Anonymous
>Environment:
NetBSD
System: NetBSD dasher 1.5.1_ALPHA NetBSD 1.5.1_ALPHA (DASHER) #17: Sun Mar 25 11:00:53 CST 2001 windsor@dasher:/usr/src/sys/arch/i386/compile/DASHER i386


>Description:
	In a hostile environment (sniffers on the wire), ftpusers(5) rules
	being applied after PASS effectively becomes useless in the effort
	to forbid your userbase from using ftp to transfer files since they
	will not be rejected until after their password has been submitted
	(out in the clear).

	I would like to see a flag added to ftpd such that the ftpusers(5)
	rules are applied between USER and PASS instead of after PASS.

>How-To-Repeat:
	Have someone sniff your account password because you forgot that
	this particular ftpd isn't for you.
>Fix:
	Sorry, I'm not a coder.

	I was asked to send this PR after discussing this with another
	developer.

>Release-Note:
>Audit-Trail:
>Unformatted: