On 07Feb2014 00:55, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Thu, Feb 06, 2014 at 05:38:35PM -0500, Robert P. J. Day wrote: > > "For SSH to be truly effective, using insecure connection protocols > > should be prohibited. Otherwise, a user's password may be protected > > using SSH for one session, only to be captured later while logging in > > using Telnet. Some services to disable include telnet, rsh, rlogin, > > and vsftpd." > > > > never having used sftp before, i'm confused ... isn't sftp simply a > > secure ftp client? and if so, why would one want to disable vsftpd? i > > would still need an ftp server, would i not? can someone clarify what > > that passage is saying? thanks. > > sftp is actually a completely different protocol -- it does file transfer > over an ssh channel established on the ssh port. This encrypts any passwords > in transit, or can be used with ssh keys so passwords are not ever used. > > By contrast, despite having the substring sftp in its name, vsftpd is a > standard FTP server and by default transmits any passwords in plain text. > Although to add some complication, vsftpd supports SSL, which is a > relatively recent extension to the FTP protocol and may not work with all > traditional ftp clients. And, to add confusion, FTP-over-SSL is often refered to as "FTPS". Versus sftp being an ftp-like command line protocol run over ssh. I've had to deal with people who confused the two. Cheers, -- Cameron Simpson <cs@xxxxxxxxxx> Fine: a tax on doing wrong. Tax: a fine on doing well. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
