On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote: > "For SSH to be truly effective, using insecure connection protocols > should be prohibited. Otherwise, a user's password may be protected > using SSH for one session, only to be captured later while logging in > using Telnet. Some services to disable include telnet, rsh, rlogin, > and vsftpd." > > never having used sftp before, i'm confused ... isn't sftp simply a > secure ftp client? and if so, why would one want to disable vsftpd? i > would still need an ftp server, would i not? can someone clarify what > that passage is saying? thanks. sftp is actually a completely different protocol -- it does file transfer over an ssh channel established on the ssh port. This encrypts any passwords in transit, or can be used with ssh keys so passwords are not ever used. By contrast, despite having the substring sftp in its name, vsftpd is a standard FTP server and by default transmits any passwords in plain text. Although to add some complication, vsftpd supports SSL, which is a relatively recent extension to the FTP protocol and may not work with all traditional ftp clients. If you are using passwords with sftp or with vsftpd over ssl, your security exposure will be roughly the same. Or, if you are using vsftpd simply to provide anonymous FTP and no one is logging in with passwords, the two can simply coexist in different roles. The documentation means to warn you that vsftpd in its non-SSL configuration (which is the default, I'm pretty sure), any passwords or other sensitive information transferred will go in plain text on the wire (or through the air with wireless, of course). -- Matthew Miller -- Fedora Project -- <mattdm@xxxxxxxxxxxxxxxxx> -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org