ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD. |
07-15-2005, 07:55 AM
|
#1
|
Member
Join Date: Dec 2004
Posts: 46
|
version 1.x authentication? certificate based?
Can someone explain a little more how the authentication is going to work in 1.x version? does this mean no usernames and passwords anymore just certificates? and no ip address managed access?
I kind of always thought ip address access was a must... it limits a whole bunch of problems for example i run a ftp i give someone access to his ip range + a username and password, if you take the ip address out of the equation that means he can just go and give his username and password to anyone and they can use it... with a cert wouldnt he just give his username + password + certificate.... what i am saying is you cant exactly give anyone your ip range without proxying and going through a whole process with a certificate wont it just be about giving someone that cert?
i dont know too much about this just the basics... but please tell me the old method of authentication will still be around if we want to enable it.
|
|
|
07-15-2005, 08:02 AM
|
#2
|
Senior Member
FlashFXP Registered User ioFTPD Scripter
Join Date: Jan 2003
Posts: 277
|
lol, i think your jumping to WAY toooooo many conclusions there
ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt
|
|
|
07-15-2005, 08:06 AM
|
#3
|
Disabled
FlashFXP Registered User ioFTPD Administrator
Join Date: Dec 2001
Posts: 2,230
|
User needs username, password and certificate to login in ssl mode. Ip and ident checks are somehing that can be done using scripts/modules. I'd personally rather delete such user (it should be trivial to write a script that logs last N ips to eg. user database) - because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.
|
|
|
07-15-2005, 08:10 AM
|
#4
|
Disabled
FlashFXP Registered User ioFTPD Administrator
Join Date: Dec 2001
Posts: 2,230
|
Quote:
Originally Posted by tuff
lol, i think your jumping to WAY toooooo many conclusions there
ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt
|
No internal ident and ip checks are gone. Certficate based authentication is much safer and easier to administrate (eg. user can store his ftp client and certificates to memory stick, and use it anywhere he wants)
|
|
|
07-16-2005, 05:15 AM
|
#5
|
Member
Join Date: Dec 2004
Posts: 46
|
yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....
How is the certificate based authentication going to work? i mean what protocol? how are clients going to communicate that certificate information to the server? what ftp clients support certificates.... dont say flashFXP(if it does) because not everyone wants to use flashfxp....
|
|
|
07-16-2005, 05:16 AM
|
#6
|
Member
Join Date: Dec 2004
Posts: 46
|
oh and tuff as far as i recall he is breaking the FTP RFC or not?
|
|
|
07-16-2005, 05:44 AM
|
#7
|
Too much time...
Ultimate Scripter
Join Date: Jul 2003
Posts: 1,430
|
Quote:
Originally Posted by ganymede
yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....
|
I hope we will still be able to use the Host.Rules file for that.
|
|
|
07-16-2005, 10:06 AM
|
#8
|
Senior Member
ioFTPD Foundation User
Join Date: Feb 2003
Posts: 170
|
how can i put my avatar ? and what option should i on to view 'registered user' under forum nickname ?
i'm blind or user cp options are miss sth ?
*** How about you dont post this sort of question on a thread that has nothing to do with this topic?
|
|
|
07-16-2005, 11:28 AM
|
#9
|
Senior Member
FlashFXP Registered User ioFTPD Scripter
Join Date: Jan 2003
Posts: 277
|
Quote:
Originally Posted by darkone
because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.
|
id say its much harder to use a proxy to spoof a users ident@ip then it would be for someone in there office to pick up there `usb stick` and use that
|
|
|
07-16-2005, 03:48 PM
|
#10
|
Member
Join Date: Dec 2004
Posts: 46
|
see i just think that with things like a usb stick... you leave it on your desk the guy can steal your info or whatever - its a matter of stealing the cert, with an IP address it really limits a person to one pc... i find this really disapointing - blocking users by IP address is critical... some FTP owners only want their users to login from specific locations. The certificate should replace the encryption format, and not IP blocking they kind of have different functions....
i agree with tuff stealing a cert.... much easier than impersonating an IP - a lot of ftp owners are not going to like this - this is kind of taking ioFTPD off the top of the list for FTPDs, guess we will see what everyone else thinks.
an idea though : i know you can store a whole bunch of information in those certs why not put a specific ip in there.... , not perfect but just a thought.
|
|
|
07-16-2005, 03:54 PM
|
#11
|
Senior Member
FlashFXP Beta Tester ioFTPD Scripter
Join Date: Aug 2003
Posts: 517
|
If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.
|
|
|
07-16-2005, 05:43 PM
|
#12
|
Too much time...
Ultimate Scripter
Join Date: Jul 2003
Posts: 1,430
|
The new user / group databases will accept custom fields so adding ident@ip checks won't be that hard.
Also stealing the certificate isn't enough to be able to log in, you need the password.
|
|
|
07-16-2005, 11:43 PM
|
#13
|
Junior Member
Join Date: Dec 2003
Posts: 4
|
Quote:
Originally Posted by ADDiCT
If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.
|
Yes,i agree with it. And if a script support a ip range such as xxx.xxx.xxx.xxx/xx is very good.The old io didn't support that format,so access control based on ip is something make me crazy
|
|
|
07-17-2005, 02:27 AM
|
#14
|
Senior Member
FlashFXP Registered User ioFTPD Registered User
Join Date: Oct 2002
Posts: 462
|
Quote:
Originally Posted by Harm
Also stealing the certificate isn't enough to be able to log in, you need the password.
|
Well, if the whole idea is to have a memory stick with client and key so you can log in anywhere you would get the password as well as the key cos most people store password in site details for login in their ftp client.
1 option would be to tell users not to take their stuff on the road with 'em for security, however you cant be with all the users all the time, they will break that rule from time to time.
If a script comes out to support ip checking quickly and as easily as it works integrated not a problem. However if it doesn't I can see a lotta people fleeing back to Raiden. I certainly wont be upgrading to something that doesn't support IP checking, so I'm hoping current version carries on being supported until the script comes.
|
|
|
07-17-2005, 03:07 AM
|
#15
|
Senior Member
ioFTPD Scripter
Join Date: Feb 2004
Posts: 181
|
Hrmf. I'm just wondering how people will generate certs for themselves, since I've not seen this done yet to date. Will there be a special program released to handle the job or will exporting certs be added to ftp clients so they maintain compatibility with new io. Also, when adding users..do they dcc/email you their physical cert or do they tell you their cert's fingerprint code....or? Just curious about how the new design will work.. I'm sure someone will do a public ident@ip script asap the new version is released for those who want to continue using that method of security so there shouldn't be any worries. But I think the new certs based security is interesting enough to give it a try, we just need a little info on how it will work with adding users.
|
|
|
Thread Tools |
|
Display Modes |
Rate This Thread |
Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 12:44 PM.
|