Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 07-15-2005, 07:55 AM   #1
ganymede
Member
 
Join Date: Dec 2004
Posts: 46
Default version 1.x authentication? certificate based?

Can someone explain a little more how the authentication is going to work in 1.x version? does this mean no usernames and passwords anymore just certificates? and no ip address managed access?

I kind of always thought ip address access was a must... it limits a whole bunch of problems for example i run a ftp i give someone access to his ip range + a username and password, if you take the ip address out of the equation that means he can just go and give his username and password to anyone and they can use it... with a cert wouldnt he just give his username + password + certificate.... what i am saying is you cant exactly give anyone your ip range without proxying and going through a whole process with a certificate wont it just be about giving someone that cert?

i dont know too much about this just the basics... but please tell me the old method of authentication will still be around if we want to enable it.
ganymede is offline   Reply With Quote
Old 07-15-2005, 08:02 AM   #2
tuff
Senior Member
FlashFXP Registered User
ioFTPD Scripter
 
Join Date: Jan 2003
Posts: 277
Arrow

lol, i think your jumping to WAY toooooo many conclusions there

ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt
tuff is offline   Reply With Quote
Old 07-15-2005, 08:06 AM   #3
darkone
Disabled
FlashFXP Registered User
ioFTPD Administrator
 
darkone's Avatar
 
Join Date: Dec 2001
Posts: 2,230
Default

User needs username, password and certificate to login in ssl mode. Ip and ident checks are somehing that can be done using scripts/modules. I'd personally rather delete such user (it should be trivial to write a script that logs last N ips to eg. user database) - because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.
darkone is offline   Reply With Quote
Old 07-15-2005, 08:10 AM   #4
darkone
Disabled
FlashFXP Registered User
ioFTPD Administrator
 
darkone's Avatar
 
Join Date: Dec 2001
Posts: 2,230
Default

Quote:
Originally Posted by tuff
lol, i think your jumping to WAY toooooo many conclusions there

ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt
No internal ident and ip checks are gone. Certficate based authentication is much safer and easier to administrate (eg. user can store his ftp client and certificates to memory stick, and use it anywhere he wants)
darkone is offline   Reply With Quote
Old 07-16-2005, 05:15 AM   #5
ganymede
Member
 
Join Date: Dec 2004
Posts: 46
Default

yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....

How is the certificate based authentication going to work? i mean what protocol? how are clients going to communicate that certificate information to the server? what ftp clients support certificates.... dont say flashFXP(if it does) because not everyone wants to use flashfxp....
ganymede is offline   Reply With Quote
Old 07-16-2005, 05:16 AM   #6
ganymede
Member
 
Join Date: Dec 2004
Posts: 46
Default

oh and tuff as far as i recall he is breaking the FTP RFC or not?
ganymede is offline   Reply With Quote
Old 07-16-2005, 05:44 AM   #7
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

Quote:
Originally Posted by ganymede
yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....
I hope we will still be able to use the Host.Rules file for that.
Harm is offline   Reply With Quote
Old 07-16-2005, 10:06 AM   #8
zpr
Senior Member
ioFTPD Foundation User
 
Join Date: Feb 2003
Posts: 170
Default

how can i put my avatar ? and what option should i on to view 'registered user' under forum nickname ?

i'm blind or user cp options are miss sth ?

*** How about you dont post this sort of question on a thread that has nothing to do with this topic?
zpr is offline   Reply With Quote
Old 07-16-2005, 11:28 AM   #9
tuff
Senior Member
FlashFXP Registered User
ioFTPD Scripter
 
Join Date: Jan 2003
Posts: 277
Default

Quote:
Originally Posted by darkone
because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.
id say its much harder to use a proxy to spoof a users ident@ip then it would be for someone in there office to pick up there `usb stick` and use that
tuff is offline   Reply With Quote
Old 07-16-2005, 03:48 PM   #10
ganymede
Member
 
Join Date: Dec 2004
Posts: 46
Default

see i just think that with things like a usb stick... you leave it on your desk the guy can steal your info or whatever - its a matter of stealing the cert, with an IP address it really limits a person to one pc... i find this really disapointing - blocking users by IP address is critical... some FTP owners only want their users to login from specific locations. The certificate should replace the encryption format, and not IP blocking they kind of have different functions....

i agree with tuff stealing a cert.... much easier than impersonating an IP - a lot of ftp owners are not going to like this - this is kind of taking ioFTPD off the top of the list for FTPDs, guess we will see what everyone else thinks.

an idea though : i know you can store a whole bunch of information in those certs why not put a specific ip in there.... , not perfect but just a thought.
ganymede is offline   Reply With Quote
Old 07-16-2005, 03:54 PM   #11
ADDiCT
Senior Member
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: Aug 2003
Posts: 517
Default

If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.
ADDiCT is offline   Reply With Quote
Old 07-16-2005, 05:43 PM   #12
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

The new user / group databases will accept custom fields so adding ident@ip checks won't be that hard.

Also stealing the certificate isn't enough to be able to log in, you need the password.
Harm is offline   Reply With Quote
Old 07-16-2005, 11:43 PM   #13
bigbighd604
Junior Member
 
Join Date: Dec 2003
Posts: 4
Default

Quote:
Originally Posted by ADDiCT
If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.
Yes,i agree with it. And if a script support a ip range such as xxx.xxx.xxx.xxx/xx is very good.The old io didn't support that format,so access control based on ip is something make me crazy
bigbighd604 is offline   Reply With Quote
Old 07-17-2005, 02:27 AM   #14
EwarWoo
Senior Member
FlashFXP Registered User
ioFTPD Registered User
 
Join Date: Oct 2002
Posts: 462
Default

Quote:
Originally Posted by Harm
Also stealing the certificate isn't enough to be able to log in, you need the password.
Well, if the whole idea is to have a memory stick with client and key so you can log in anywhere you would get the password as well as the key cos most people store password in site details for login in their ftp client.

1 option would be to tell users not to take their stuff on the road with 'em for security, however you cant be with all the users all the time, they will break that rule from time to time.

If a script comes out to support ip checking quickly and as easily as it works integrated not a problem. However if it doesn't I can see a lotta people fleeing back to Raiden. I certainly wont be upgrading to something that doesn't support IP checking, so I'm hoping current version carries on being supported until the script comes.
EwarWoo is offline   Reply With Quote
Old 07-17-2005, 03:07 AM   #15
PopWeasel
Senior Member
ioFTPD Scripter
 
Join Date: Feb 2004
Posts: 181
Default

Hrmf. I'm just wondering how people will generate certs for themselves, since I've not seen this done yet to date. Will there be a special program released to handle the job or will exporting certs be added to ftp clients so they maintain compatibility with new io. Also, when adding users..do they dcc/email you their physical cert or do they tell you their cert's fingerprint code....or? Just curious about how the new design will work.. I'm sure someone will do a public ident@ip script asap the new version is released for those who want to continue using that method of security so there shouldn't be any worries. But I think the new certs based security is interesting enough to give it a try, we just need a little info on how it will work with adding users.
PopWeasel is offline   Reply With Quote
Reply

Tags
address, ftp, give, password, username

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:08 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)