ftp password on my script: is it insecure?

xri · 12-10-2006, 11:42 AM

I am writing a simple script using ncftp as a client to synchronize my files with an online server. My script needs my ftp password to work.

I'm concerned about security. Is it enough to change the file permissions to make it invisible to other users? Is there a way to scramble the password to make it illegible for others? Do you recommend another ftp client (sftp)?

acid_kewpie · 12-10-2006, 11:49 AM

generally i'd suggest sftp with preshared keys, but note that sftp is *NOT* an ftp client. it's an emulation of the ftp protocol over ssh, so does not use an ftp server to connect to at the other end.

timdsmith · 12-10-2006, 11:53 AM

You can create a file in your home directory called .netrc
Set the permissions to 700
enter something like this...

Code:

machine  machinename

login  username

password password

Then you don't need to put the user/pass in the script.
The ftp client will look in that file. And the file will only be readable to you. Actually, the ftp client will not use it if it is not 700.

johnson_steve · 12-10-2006, 12:06 PM

something like sftp or scp with preshared keys would be more secure especially if you are worried about people intercepting the data. if you are just worried about people finding your password in the script then just 'chmod 700' it and to read the script they would have to have either already gained access to your user or root account or have physical access to the machine (in either case you have bigger problems anyways)

acid_kewpie · 12-10-2006, 12:30 PM

also don't forget that in the wider picture of security, running one service is more secure than running two...

xri · 12-10-2006, 05:58 PM

Thank you all for your input. You've outlined my options. I love this community.