Subject: Re: rfc2228 in ftpd
To: Perry E. Metzger <>
From: Aidan Cully <>
List: tech-security
Date: 06/25/2002 00:41:49
On Mon, Jun 24, 2002 at 09:53:09AM -0400, Perry E. Metzger wrote:
> My current thought is this: it appears, according to Ken and others,
> that there are indeed interoperable implementations of this. Given
> that, assuming we in fact interoperate, it is reasonable to do
> it. However, I'm still not sure it actually is something I would want
> to use...

In all honesty, the patch doesn't fully interoperate with all
available clients.  The Heimdal FTP client isn't fully RFC compliant,
and I've sent a couple of messages to heimdal-discuss describing the
problem and how to fix it, but never heard anything back.  Maybe
bringing this up here will convince them to fix the client...  I also
haven't fully implemented the protocol: I don't check the protection
on commands, so we're still potentially vulnerable to MITM attacks,
though secure against passive eavesdropping.  This is just a step in
the process, the next is to add support to the client, and finally to
define security policy on the server.