I've already done a number of things for the new upcoming 6.3 release that you are all going to love! There is one feature I'm going to ask for feedback on just in case I'm missing something and this solution won't work. I'm looking to find a way to support dynamic IP addresses for those few people who have wildly different addresses assigned to them all the time.
Basically my solution is a simple knock knock algorithm with a twist. You supply a list of ports in the .ini and if the user attempts to connect in the order listed two things happen. First the IP is added to a temporary list so if you are using Reject_Unknown_Ips the individual can actually get the ftp prompt. Second, and my lightbulb idea, if you attempt to login to an account that contains a fully qualified hostname (i.e. no wildcard) the server will resolve the stored name and then use that for the access check.
I've already implemented rules for IP/Host masks so you can control who can allow what. This is from my .ini file:
Code:
# Requirements/rules for adding IP masks by the specified users. You can
# have up to 20 consecutive entries starting at 1 which will be processed in
# numerical order with the first satisfied rule allowing the change. If
# no rule is matched then the change is prohibited and the user shown a list
# of valid rules for them. If Secure_Ip_1 is not defined everything is
# acceptable for backwardward compatibility.
#
# Format: <ident> <type> <min-fields> <users>
# <ident> = 0 -> User ident not required (*@...)
# 1 -> User ident must be supplied (ident@...)
# <type> = 0 -> only sets of numeric IPs allowed
# 1 -> fully qualified hostname allowed (no wildcards)
# 2 -> any hostname/IP (may include wildcards)
# <min-fields> = Minimum number of non-wildcard fields separated by periods.
# NOTE: A fully qualified hostname doesn't need to pass the minimum field
# test.
#
# Master accounts can do whatever they want so the first rule here isn't
# necessary, but if you wish to allow others unlimited rights add them here.
Secure_Ip_1 = 0 2 0 M
# Allow *@1.2.3.* style masks
Secure_Ip_2 = 0 0 3 G1M
# Allow ident@1.2.* style masks
Secure_Ip_3 = 1 0 2 G1M
# Allow ident@foo.bar.com style masks
Secure_Ip_4 = 1 1 1 G1m
# Allow ident@*.bar.com style masks but not for pure group-admins
Secure_Ip_5 = 1 2 2 1M
# NOTE: Only M accounts can set *@* with these defaults
If site addip rejects an IP/Host mask because Secure_Ip is enabled and no rule is matched then a human readable form of the rules is displayed...
Since the knock knock listen ports just drop the connection immediately after it's made and no data is transfered you can create fake sites in your ftp program and try to connect to them in order. Since that's annoying I anticipate a simple windows app to do it for you with a click of the button using configured site info. A linux / windows command line app to do the same thing but without the pretty interface is also possible.
To prevent username leakage an IP address which has knocked will have the password response delayed 5 seconds or something to prevent time response analysis.
The Secure_Ip feature means a server can now effectively enforce locked down usage. In my experience there was always somebody who added *@* for some reason and then forgot to remove it thus negating Reject_Unknown_Ips. However the ability to use a dynamic IP DNS resolver like no-ip.com will I think be useful for some people but it does make the potential sharing of accounts easier. There are ways to detect this over time though. For the moment, Secure_Ip can restrict who can add fully qualified names so you can limit who can setup these types of dynamic DNS hostsnames.
The one thing I haven't figured out yet is what to do once a user has logged in via knocking. Since any logged in user should keep the host entry alive subsequent logins will work until they logout for a while or the server restarts. I was thinking I could add the full IP to the user account automatically though. Perhaps even keep the last 3 or something so this would allow future logins to work without knocking again until their IP changed.
What do you guys think? Have I missed something or does someone see an easier way? Perhaps more importantly, is this as useful a thing as I think it is?