Re: tls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>> Patrick Dupre wrote:
>>> 
>>> ssh works fine. However, I have a possible explaination.
>>> This machine is behind a firewall and to be able to make ssh, I 
>>> add to ask to have the ssh port open. Probably, the ftp port is
>>> closed. Should I ask to have it open to use ssl/tls?
>>> Is it port 21? or 990? how can I check the port 22 is open
>>> while the other ones are closed on the firewall (I do not have
>>> admin access to this machine).
>> 
>> Matthew J. Roth wrote:
>>
>> Do you have a compelling reason to use FTPS. If not, SFTP provides the same
>> functionality (encrypted file transfers) and it runs over SSH, so it should
>> *just work* in your environment.
> 
> Patrick Dupre wrote:
> 
> Yes, I know, but ssh/tls seems more secure!


Patrick,

Both FTPS and SFTP utilize essentially the same techniques to secure a
connection and provide similar levels of security.  FTPS has a slight edge
when it comes to authentication, because it uses X.509 certificates while SFTP
uses SSH keys.  However, this is only relevant if personally verifying the
authenticity of keys (e.g. issuing a key yourself or verbally confirming its
fingerprint by phone) isn't sufficient and you require a CA to verify the
authenticity of certificates instead.

On the other hand, SFTP is easier to administer from a network perspective
since only port 22/tcp must be opened in the firewall.  This is the same port
used by SSH, so in many cases (including yours) it's already open.

In my opinion, FTPS is slightly less secure than SFTP because its risks (running
an additional daemon and opening multiple firewall ports) outweigh its benefit
(X.509 authentication).  Considering that SFTP is probably already available on
your computer (it's enabled by default), it's the obvious choice unless you
absolutely require X.509 authentication for file transfers.

Regards,
 
Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux