LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-31-2006, 11:41 AM   #1
poweredbydodge
Member
 
Registered: Oct 2006
Location: Buffalo, NY
Distribution: Servers: Scientific Linux 5.x // Desktops: Fedora Core (latest)
Posts: 110

Rep: Reputation: 15
FTP over TLS/SSL --- works, but doesn't ?


Hello...

I am currently running the following:
Hardware -- Soyo MB (Via north and south bridges) / AMD Athlon XP Barton 3200 / 2 GB Corsair PC3200 DDR184 / Couple hundred gigs of WD ATA-100 RE drives over regular EIDE(PATA). [my home server which broadcasts over WAN and LAN]

Software -- Fedora Core 5 / Apache 2.2.2 (Perl 5.8.? / Open SSL 0.97 / Open SSH v.?.? / PHP 5) / Sendmail with Dovecot, F-Prot, and SpamAssassin / ProFTPD with a security certificate (RSA key file + cert file) generated by the previously mentioned Open SSL 0.97 (I believe revision a).

All in all, the rig runs great, and I'm very happy so far (I'll be upgrading hardware in bits and pieces, but for now I'm just happy that I finally got linux going good). I can do everything I used to do with Windows Server 2003 --- and more.

PROBLEM --- ok, so I had proftpd setup to allow ONLY TLS/SSL logins and TLS/SSL encrypted transmissions. This seems to work fine with Windows Clients like Filezilla / CuteFTP-Pro / and a couple others. However, when I tried to use Linux's gFTP Client (setup in "FTPS" mode, which is I believe the correct mode), the Client would login securely... go through some hub-bub-stuff... and then just before it would give me a directory listing it would say...

"issuing command PROT C"
.... [about 30 seconds go by]...
"command refused, connection dropped by host"

or something to that effect.

My research has told me that the CAUSE is this... the command PROT defines protection, with one of hte two following switches: PROT -P = encrypted, and PROT -C = clear (unencrypted). So proftpd was setup to ONLY do encrypted stuff, and therefore it dumped the connection.

So I figured "well, I'll disable the command to only allow encryption, and then maybe it'll do what I want it to."

Nope -- Client logs in SECURELY and then all transfers are INSECURE. That's a no-no.

So my question is ... has anyone found a way of dealing with this? Perhaps editing gFTP's config (in a way I have yet to discover) to tell it NOT to issue PROT C commands? Or a way to tell proftpd that if it receives a PROT C command that it would reply with a counter-command that forces the client to remain in encrypted mode?

I am at a loss... any help would be more than greatly appreciated, as this is the last key (pun intended) in having my "perfect" Linux software server, and I've been at it for a month with no luck.

Regards
-Vince Spinelli
vince@spinellicreations.com
University at Buffalo
 
Old 11-01-2006, 11:54 AM   #2
cdhgee
Member
 
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513

Rep: Reputation: 30
Instead of all the complexities of setting up FTP over TLS/SSL, have you considered using SFTP instead (secure FTP), which doesn't need certificates, and is incredibly simple to set up and use? If you have an SSH server installed, you should be able to use SFTP as it's the same protocol. All data transmitted is encrypted - login details, passwords, file transfers, everything.

Using FTP and then worrying about setting up SSL tunnels and whatnot seems a very complicated way of achieving something that can be done far easier another way.
 
Old 11-01-2006, 12:45 PM   #3
poweredbydodge
Member
 
Registered: Oct 2006
Location: Buffalo, NY
Distribution: Servers: Scientific Linux 5.x // Desktops: Fedora Core (latest)
Posts: 110

Original Poster
Rep: Reputation: 15
SSH does require a certificate... it comes with one pre-installed (so to speak), but you can generate your own (which I've done - and it works fine). SSH / SFTP / and FTPS all use SSL certicicates.

The problems with SFTP are...

1- would require allowing all users shell access, which I refuse to do. with 15 some users at any given time, that's a big no-no. SSH logins are currently limited to only 1 user (that being me), while FTP logins can be made by anyone in the "netuser" group listing, which emcompasses mail users and ftp users.

2- from past experience I've noticed that the integrity of tranferring a que of 3 or 4 large files (roughly 500 MB each) is far greater with FTPS than SFTP. You can pretty much set it and walk away for 10 hours with FTPS. SFTP not so much.

3- Many users are picky about their FTP clients... as they are mostly Windows people. Many FTP clients don't have SFTP -- actually most don't. However a good deal allow FTPS. So far, I've only had to "order" one person to change to a new client. That's not a bad percentage. There will only be two linux users (myself when not at home - and a new user who runs linux).

...

Filezilla FTP Server for Win32 systems was absolutely fantastic on so many levels. It would negotiate with any client you could think of. I only wish it would be ported to linux
 
  


Reply

Tags
error, fc5, fedora, ftp, gftp, proftp, proftpd, ssl, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Client with SSL/TLS support Osten Linux - Software 11 05-30-2012 12:44 AM
FTP over SSL/TLS (implicit encryption) mikeshn Linux - General 1 06-20-2006 04:06 AM
FTP via SSL (TLS) embsupafly Linux - Security 2 03-02-2005 09:47 PM
Kermit Script to Automate FTP SSL/TLS fiddelm3742 Linux - Software 0 05-19-2004 12:53 AM
SSL vs. TLS X11 Linux - Security 8 12-17-2002 04:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration