ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD. |
07-17-2005, 03:48 AM
|
#16
|
Member
Join Date: Dec 2004
Posts: 46
|
sorry darkone looks like i started a riot! I agree with ewarwoo ip checking a necessity that will change the way i feel about the FTPD, personally i dont think this should be scripted functionality this should definitly be part of the core functionality.
secondly how is cert authentication going to work... thats my biggest concern - like what FTP client supports cert authentication...?! like how is the key exchange going to work? this is certainly going to f up my ioWeb project i just spend 6 months implementing SSL and now its going to be cert based... - no ftp clients supports this...??? or do they?
|
|
|
07-17-2005, 05:02 AM
|
#17
|
Senior Member
FlashFXP Registered User ioFTPD Scripter
Join Date: Jan 2003
Posts: 277
|
as i said, its much harder to steal an ip, than to steal a cert and sites.dat prolly stored in the same place
__________________
#iotools #ioftpd (both on efnet)
|
|
|
07-17-2005, 05:06 AM
|
#18
|
Senior Member
ioFTPD Scripter
Join Date: Feb 2004
Posts: 181
|
Quote:
Originally Posted by ganymede
sorry darkone looks like i started a riot! I agree with ewarwoo ip checking a necessity that will change the way i feel about the FTPD, personally i dont think this should be scripted functionality this should definitly be part of the core functionality.
secondly how is cert authentication going to work... thats my biggest concern - like what FTP client supports cert authentication...?! like how is the key exchange going to work? this is certainly going to f up my ioWeb project i just spend 6 months implementing SSL and now its going to be cert based... - no ftp clients supports this...??? or do they?
|
Probably they don't yet I imagine but the same could've been said for PRET and XDUPE at some point. And we all know how useful those features have been. So I think we just need to wait and see how it will work. Maybe there will be an 'XCERT' (eXtract CERT) feature made which when connecting to [new version of] io site will upload local cert -> site somehow. Darkone must be having a good laff at us trying to figure this out btw lol.
|
|
|
07-17-2005, 05:51 AM
|
#19
|
Senior Member
ioFTPD Scripter
Join Date: Feb 2004
Posts: 181
|
btw, moving away from ip based security would allow not needing users' ip's to be in their userfiles anymore. So if a site box was ever 'taken' it would allow for more security/privacy as it would be much harder to find someone based on the cert of their pc than it would be to find them by the ip of their pc. Except that there would need to be an option to not log ip's as well. DrFTPd has this option so maybe it could be added to io as well. It just replaces 111.111.111.111 with xxx.xxx.xxx.xxx in the logs, or something similar. This would allow more anonymity (in light of recent events I think we all agree this is a good thing). I was just thinking of some of the implications of this new cert-based security and thought of this aspect of it. Didn't see it mentioned yet so thought I would go ahead and mention it.
|
|
|
07-17-2005, 10:16 AM
|
#20
|
Senior Member
FlashFXP Registered User ioFTPD Scripter
Join Date: Jan 2003
Posts: 277
|
and not logging ips would make it also impossible to track anyone thats gained access that shouldnt have
__________________
#iotools #ioftpd (both on efnet)
|
|
|
07-17-2005, 11:24 AM
|
#21
|
Senior Member
ioFTPD Scripter
Join Date: Feb 2004
Posts: 181
|
hehe, true
|
|
|
07-18-2005, 07:27 AM
|
#22
|
Disabled
FlashFXP Registered User ioFTPD Administrator
Join Date: Dec 2001
Posts: 2,230
|
Quote:
Originally Posted by tuff
as i said, its much harder to steal an ip, than to steal a cert and sites.dat prolly stored in the same place
|
This is false information. To steal certificate you need access to computer, and if certificate is stored in certificate store (which could be in remote loaction) - administrator level privileges. While to steal ip you need one of the following: access to computer, access to one of the routers between client and server or access to same ip range. Also, encrypting certificate and/or sites.dat is not such a bad idea (afaik. ffxp allows encryption of sensitive information)
And just like harm mentioned earlier, script may store arbitary data to both user and group databases. Adding ip/ident checks is rather trivial (though I don't personally see much use for ident check nowdays)
Implementation of client certificate check is trivial on both openssl and SSPI, and I've actually done this on both. On passive mode transfers, it's also neccessity for site to authenticate data connections as well, if site does not restrict data connection to allow access only from ip that control connection originates from.
|
|
|
07-20-2005, 02:58 AM
|
#23
|
Member
Join Date: Dec 2004
Posts: 46
|
i cant say i agree with you on that darkone, you cant put an ip on a disk and give it to someone. certs are movable fullstop. to get someones ip you have to hack and install proxy or hack a router along the way.... the chances of hacking a router well... not many people will do that. if they hack your pc they going to steal your certificate anyways.
i think the bottom line is that this is functionality that almost every decent FTP server has and now its being removed because its so called obsolete - not true.
Furthermore many people are going to migrate to something that does have this functionality... i dont think an external script should be doing something that has evolved to be core functionality and in this present age vital functionality.
My biggest question is that why remove it? i mean people can turn it off so easily.... *!* :P your decreasing the functionality list of your own product! - here is a brilliant example of why certificates might not work... let say we have a company who by policy only want their staff to access their ftp from specific company locations(ips) using their login.... ? hows a certificate going to help you? its not...
now the obvious comeback to the above situation is get a script - thats not the obvious solution to someone who is paying. to someone paying its get a product that meets my requirements.
i think from a business point of view this is a mistake, the proposed solution sounds great. But in actual fact we are trading an apple for an orange - replacing something that does one thing by something that does another.....
i know i sound biased but to be honest i dont even use ip checking because everyone i know is on dial up we have shit lines and funny ranges in south africa - however a lot of people i know do and they think its essential. The only reason iam raising flags now is because i have been developing a .NET version of a HTTP web administration tool and get a lot of feedback from various friends etc who simply wont run it without without ip checking - and realistically what SiTEOP would install io without it.
PS - one thing that pisses me off and seems to happen a lot nowdays is as software developers release new versions of their software and 'upgrade' certain features by removing others they forget that there are people who only bought the product for the feature that was removed - which goes back to an earlier point what harm is there to leave it in.
|
|
|
07-20-2005, 06:58 AM
|
#24
|
Senior Member
FlashFXP Beta Tester ioFTPD Scripter
Join Date: Sep 2002
Posts: 543
|
Well it looks like I know what I need to build into the new ioFTPD as plugin. ip cheching, also with the ability to use dns names, and ident stuff... I hope us scripters get a pre beta 1.0 to play with and code for.
|
|
|
07-20-2005, 07:02 AM
|
#25
|
Member
Join Date: Dec 2004
Posts: 46
|
i plugin is not what is needed here, the developers need to identify a basic need and implement it.
|
|
|
07-20-2005, 07:21 AM
|
#26
|
Senior Member
FlashFXP Registered User ioFTPD Registered User
Join Date: Oct 2002
Posts: 462
|
The main problem with a plugin / script is it could be back to the old situation where some of the times that io gets updated it kills the script. And the script creator is away so it doesn't get updated. Someone else makes one. You end up with 8 or 9 versions not knowing which to use. You get used to one you find and like and the scriptor stops supporting it cos he runs out of steam. Etc etc.
And anyways, a function like that which is at the very core of modern FTP servers (try a poll, see how many consider essential) should be made a part of the core program by the developer, not added in by an unpaid scriptor. Don't get me wrong, I love what you scriptors do, I wish to hell I had a fraction of the skill, you're an absolutely amazing bunch, but its just not your responsibility and something so essential to the overall functionality should be fully supported and a responsibility, not a hobby.
Thats my opinion anyhows.
|
|
|
07-20-2005, 08:01 AM
|
#27
|
Member
Join Date: Dec 2004
Posts: 46
|
Brialliantly put EwarWoo i couldnt have said it any better - and i fully agree.
|
|
|
07-20-2005, 10:23 AM
|
#28
|
Disabled
FlashFXP Registered User ioFTPD Administrator
Join Date: Dec 2001
Posts: 2,230
|
There has been compatability have only arised with major releases (rewrites). However, as far as I can tell, there are no more rewrites coming any time soon after 1.0.
|
|
|
07-20-2005, 12:04 PM
|
#29
|
Senior Member
FlashFXP Registered User ioFTPD Scripter
Join Date: Jan 2003
Posts: 277
|
i have to also agree with ganymede, why remove something that already works to replace it with something no one wants?
keep ident@ip checking, if its not what someone wants, they can disable it, rather than force this change on everyone
i still believe ident@ip checking should be a core component, and not a script
who has actually been dreaming up these changes?
/me slaps d1
__________________
#iotools #ioftpd (both on efnet)
|
|
|
07-20-2005, 02:03 PM
|
#30
|
Senior Member
ioFTPD Scripter
Join Date: Feb 2003
Posts: 458
|
[my views on iO]
Hi everyone. d1 is taking his product to the whole market. The way I see it, iO (d1) is just trying to move away from the scene rules and make a product that is more of a versatile-industry related type of app (webhosting companies, etc). Adding more things that are relevant to the larger IT user base -- intensive security. His product needs to stand out in the crowd. And if this is the case, which it is obviously true [i hope....], then I am very happy with the changes that d1 is making. Instead of making zipscripts, communist-banana , etc.. there will also be a need for scripters to create extensive plugins that show bandwidth usage per user hourly/min/sec, calculated statistics, http frontend, and "who's uploading crap to my server" and all that other junk businesses are interested in. Which will increase the userbase and an influx of scripters. I can't wait for 1.0
[/my views on iO]
[back on topic]
The whole cert thing is a great idea. As for the old method, an ITCL script could mostlikely take care of everything. and if changes happend in future releases of io, any scripter can edit the TCL script to work with the current release. d1 can make the TCL script himself too and keep it up to date if he wants, it would be convinient for those users who rely on the ip@ident method.
[/back on topic]
byebye
|
|
|
Thread Tools |
|
Display Modes |
Rate This Thread |
Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 01:59 AM.
|