|
|
Subscribe / Log in / New account

Back door in ProFTPD FTP server (The H)

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 8:57 UTC (Fri) by rvfh (guest, #31018)
In reply to: Back door in ProFTPD FTP server (The H) by Trelane
Parent article: Back door in ProFTPD FTP server (The H)

Not sure HTTP is as bandwidth-efficient as FTP. Does anyone know better?

to post comments

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 9:15 UTC (Fri) by Np237 (guest, #69585) [Link]

HTTP actually is a little bit more bandwidth-efficient than FTP. The gain is marginal, though.

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 11:47 UTC (Fri) by intgr (subscriber, #39733) [Link] (8 responses)

Not only is HTTP more bandwidth-efficient, but it's also more resource-efficient.
* Only one socket/TCP connection is needed for each download -- FTP needs 2
* Much lower latency: only one round-trip to fetch a file -- FTP needs at least 5 (USER, PASS, CWD, PASV and RETR, but clients often do more requests, such as SIZE, TYPE, SYST etc). The TCP+IP packet headers from these alone outweigh an HTTP request
* HTTP can also re-use connections for multiple requests; FTP always establishes a separate data connection for each download

So yes, FTP is an obsolete, inefficient and insecure protocol for all purposes.

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 16:31 UTC (Fri) by ESRI (guest, #52806) [Link] (7 responses)

I'd say the "client" space is still a big win for FTP with many mature and powerful clients like FileZilla, etc.

Sure you can write something yourself or find some Java-based or HTML-based clients that I'm sure are somewhat promising -- or head down the MFT path if you're big enough...

But FTP has a leg up there still and customers by and large prefer it for large transfers it seems.

And, no slight against vsftpd, but ProFTPD's configurability sets it apart.

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 16:52 UTC (Fri) by drag (guest, #31333) [Link]

I just use Webdav, personally.

It has built-in support for Gvfs, Kio, Windows XP/7/Vista, OS X, and everybody else that matters.

Back door in ProFTPD FTP server (The H)

Posted Dec 3, 2010 16:55 UTC (Fri) by intgr (subscriber, #39733) [Link] (5 responses)

> I'd say the "client" space is still a big win for FTP with many mature and powerful clients like FileZilla, etc.

That's true, I was concentrating on the anonymous downloads use case because that's where efficiency really matters.

For authenticated file transfers, where performance isn't that important, you'll probably want SFTP anyway. Most if not all these powerful clients already support SFTP/SCP. You also get rsync for free, at the flip of a switch.

Back door in ProFTPD FTP server (The H)

Posted Dec 4, 2010 18:25 UTC (Sat) by drag (guest, #31333) [Link] (4 responses)

The problem with SFTP is that OpenSSH implementations depend to much on the Unix way of doing things. This does not mesh up well with business needs.

Here is what people want for their businesses:
* What is needed is a daemon that supports multiple protocols. HTTP, FTP, SFTP/SCP.
* This program must maintain it's own database of users seperate from Unix. So you can setup throw away accounts, one time use accounts, and be able to add/remove users without mucking around with changing directories or permissions low-level.
* The files it deposits on the server must be only be logically mapped to what the user sees. That is the directories and permissions you see when you 'sftp example.com' is going to be different from what is actually on the server. This way it would be easy to setup files and directories on the Unix side that is easy to program and compartmentalize for different departments without engaging into weird and complex ACLs and that sort of thing. This way you can add and remove external users and junk like that without having to edit scripts and programs and such.
* Optionally the files need to be able to be deposited into a SQL database instead of file system. This is to avoid complex file locking issues and provide a familar interface for many programmers.
* Integrated PGP support for testing signatures, encrypting, decrypting files on the fly. So that if you have a customer who requires PGP signed files you can enable that with a flip of the switch.

Think of it as SFTP as a JBOSS program. If somebody like Redhat was to create something like that it would be a big hit with many enterprises. There are currently a shitload of expensive and poorly programmed applications that do this sort of thing for businesses. If there is a good open source one already I am very sorry for missing it.

I know that it's horrible and distasteful. But it's what they want.

I've worked for several different businesses of radically different stripes for nearly a decade. Ranging from 200 employees to several thousand. They were all very different, but they all had in common that they required sending signficant data to and from customers and vendors as a core business requirement. Due to regulatory concerns, contractual obligations, and just plain stupid bias they had to deal with multiple protocols and formats of the data based on customer and vendor preference... lots of stuff like ftp is entirely not up to them.

If somebody like IBM or Redhat or some other big name that is trusted and has experience with the regulatory issues created a application like this that was cheap and easy to deploy then it would go a very long way to killing ftp once and for good.

Back door in ProFTPD FTP server (The H)

Posted Dec 4, 2010 18:26 UTC (Sat) by drag (guest, #31333) [Link]

Oh and SSL/TLS PKI, Kerberos, SASL, LDAP, AD support and all that crap also.

Back door in ProFTPD FTP server (The H)

Posted Dec 7, 2010 2:13 UTC (Tue) by jamesh (guest, #1159) [Link]

There are other SSH implementations out there. For the bazaar.launchpad.net code hosting service, we used Twisted's Conch module.

User names and public keys are pulled from a database, and a virtual file system layout is provided to the user based on both their individual permissions and user, project, and branch names found in the database (on disk storage is keyed off the database branch ID).

These things aren't impossible to do with SSH.

Back door in ProFTPD FTP server (The H)

Posted Dec 9, 2010 5:15 UTC (Thu) by cmccabe (guest, #60281) [Link]

I don't understand the hate for "the UNIX way of doing things." Just put an SFTP server, a lightweight HTTP server, and an ftp server inside an LXC container and write a few Python or Ruby scripts. And yes, you can even give it a web interface for administrators.

Another approach that seems to be popular lately is using Amazon S3 and its clones. Walrus and Rados Gateway are two open-source implementations of S3. S3 has cryptographic signatures, advanced permissions controls, uses HTTP or HTTPS (so it goes through any firewall), and is in general very well thought-out. You can even set up buckets where the user has to pay for the data he stores. You can set up buckets where every change is versioned, so that data is never lost. And so on.

> I know that it's horrible and distasteful. But it's what they want.

It's horrible and distateful to suggest re-inventing the wheel, without learning from the past. Transferring files is actually rather pleasant.

Back door in ProFTPD FTP server (The H)

Posted Dec 13, 2010 20:24 UTC (Mon) by nix (subscriber, #2304) [Link]

You don't need any of that. All you need is an interface (probably both C/language-of-choice and a command-line wrapper wrapped around it) which allows you to invoke protocol-dependent shell scripts (or other thing-of-choice) to do the actual transferring.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds