Code:
v6.0 Release Notes:
1) Implemented client SSL behavior in ioFTPD so it can initiate SSL
connections.
2) Implemented the FEAT command. This is used to report what additional
functionality (beyond RFC 959) that the FTP server supports.
3) Implemented the SSCN protocol to enable easy FXP SSL.
4) Changed the way LIST -l displays date/time in directory listings by default.
A file last modified 12:34PM on June 10, 2005 previously was displayed
incorrectly as
Jun 10 12:34
It now appears as it should (unix ls style)
Jun 10 2005
5) Implemented the LIST -T option (Raiden / Serv-U extension) so that
directory listings now include the full date and time. The example above
would now be:
Jun 10 12:34:56 2005
6) The new directory listing code now returns the directory in sorted order.
In the case of merged directories or submounts these are properly handled
so that size/modification/permission attributes are summed and/or computed
correctly.
7) Implemented the LIST -R option for recursive directory listings!
8) New ioFTPD.ini option (Allowed_Recursive). Set this permission flag to
enable the -R option to LIST. Users asking for a larger number of
directories to be listed can be time consuming and resource intensive.
For larger servers you may wish to enable this only for admins and/or a
script to generate a listing every few hours and drop it into the root
directory for people to download...
9) Changed the way file globbing works for directory listings. Previously
you could do something like LIST */* and it would return all the files
in the immediate subdirectories. Which sounds cool and is similiar to
what unix would do, except in this case since it doesn't include the
path you won't know which directory a file is from rendering it useless.
There were also problems with []'s in a name specified to LIST as it
would try to use it as a filename matching pattern. Thus
"LIST -al /test [old]/foo" wouldn't match a directory of that exact name.
I've, therefor, limited globbing to only the LAST component of the LIST
command so LIST *.txt, LIST xyz/*.txt, or even LIST -R *.txt (search all
subdirectories for files ending in .txt) will work and no ambiguity exists.
As a special case if an exact match for a filename including []'s exists
then no globbing is done at all and just the file/directory is returned.
10) New ioFTPD.ini option (Idle_Ignore) to support a configurable idle timer.
Instead of any successful command resetting the idle time you can choose
to ignore some. For example:
Idle_Ignore = NOOP CWD PWD LIST NLST STAT PASV
In this case if the user hasn't actually done something besides wander
around the filesystem looking at directories he/she is disconnected.
The idle time reported for the client is unaffected by this change, thus
ioGUI, SiteWho, etc will display the time the last user entered any
command even if it's ignored, however the time the user has before being
disconnected does not reset.
11) Implemented the MDTM command to retrieve and SET file modification times,
FTP clients noticing this extension can now make uploaded files show the
filetime of actual file and not the time it was uploaded.
12) Reverted the ONLINEDATA structure to keep compatibility with existing
tools/scripts such as ioGUI2 and SiteWho. Long live ioGUI!
13) Documented a number of things in the accompanying ioFTPD.ini and
Default.vfs file to help people understand some options.
14) &Service_Update is really called &ConfigUpdate! Go update your
ioFTPD.ini file... This should fix the Host=xyz.com issue since it
wasn't updating your IP. Useful for people behing a NAT router with
a dynamic external IP.
15) The Encryption_Protocol= line in ioFTPD.ini means something different
than indicated. It limits the encryption to a particular type. Thus
setting it to SSL2, SSl3, or the undocumented TLS setting would only
allow the indicated protocol. Not defining it implies all three are
avaliable with TLS->SSL3->SSl2 being the order tried.
16) Microsoft Sstream encryption is used for SSL/TLS and this has a few
issues. Windows XP / 2003 don't support AES and thus the cipher strength
is currently limited to 128 bit RC4/MD5 instead of 256 bit AES/SHA. This
isn't terrible but I believe it's slower and less secure, but the only
solution is to rewrite everything using openSSL or switch to Vista which
does support AES/SHA. The one side effect of this right now is don't try
to set Min_Cipher_Strength > 128 as it won't work unless you're on Vista
and even if you are if the other guy isn't using openSSL on XP he won't
be able to connect...
17) Fixed the shutdown logic. It turns out ioFTPD never actually shutdown
the active services and gracefully exited. I didn't notice until I
fixed it so it does shutdown services and then started getting errors.
This is the reason when you issue a site shutdown active users are never
shown as logging out in the logfile. I changed it so it closes services
which in turn closes all the connections and thus everyone is logged
out. If threads don't exit inside 10 seconds which might happen if a
TCL script or scheduler event or something takes a long time it just
continues on and exits which might still result in a crash, but it
would have done so in the old version anyway...
18) Changed the way user login works.
A) Corrected error messages that 5.8.6+ broke.
B) Require_Encrypted_Auth now controls the default SSL login behavior.
Previously if the user/group/flags matched then they would get an error
indicating an SSL connection was required immediately after entering
their username. HOWEVER, no such error was generated for invalid
usernames and thus it leaked user account information nearly as
bad as the previous problem of immediately denying access for invalid
usernames. I changed the permission code to accept fake tests so I can
now look for * in Require_Encrypted_Auth when I know the user is invalid
and return the SSL required error message anyway. Since the USER command
now looks the same in both cases it gives away nothing. Thus
Require_Encrypted_Auth = !-ioFTPD *
will not require the ioFTPD user to use SSL, but everybody else will
AND invalid usernames won't give anything away. Using !* or just not
specifying * will revert to current (I believe wrong) behavior.
C) Added a new text message file for logins requiring SSL. "SecureRequired"
in the text/ftp dir can be used to inform users how to turn on SSL.
The one I provided describes how to turn TLS/SSL on in FlashFXP for
those clueless individuals needing help...
Detailed login info:
5.8.5 Behavior
Invalid user [normal or requires SSL] (wrong - leaks usernames):
USER xyz
530 Login incorrect.
SSL required for valid user (right):
USER xyz
530 Your user class requires you to use secure connections.
User limit reached (right):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Maximum concurrent connections for account reached, try again later.
5.8.6+ Behavior
Invalid user [normal or requires SSL] (right):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Invalid password.
Valid user but SSL required (wrong - no info on why you can't login!):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Invalid password.
User limit reached (wrong - no info on why you can't login!):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Invalid password.
* The user limit reached breakage in 5.8.6+ actually affected a few more
cases which are all fixed, but it was the one I noticed first...
6.0 Behavior:
Invalid user with SSL NOT enforced by default (right):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Invalid password.
Invalid user with SSL enforced by default (right):
USER xyz
530 Login failed: Your user class requires you to use secure connections.
Valid user but SSL required (right):
USER xyz
530 Login failed: Your user class requires you to use secure connections.
User limit reach (right):
USER xyz
331 Password required for xyz.
PASS (hidden)
530 Login failed: Maximum concurrent connections for account reached, try again later.
19) Upgraded tcl to 8.4.14 and included all the default .tcl files shipped
with tcl. In particular the HTTP package may be of some use...
20) Upgraded php to 4.4.5. I can upgrade to the latest v5 release but since
I don't know about compatibility with existing scripts it might be best
not to.