version 1.x authentication? certificate based?

[ganymede]

Can someone explain a little more how the authentication is going to work in 1.x version? does this mean no usernames and passwords anymore just certificates? and no ip address managed access?

I kind of always thought ip address access was a must... it limits a whole bunch of problems for example i run a ftp i give someone access to his ip range + a username and password, if you take the ip address out of the equation that means he can just go and give his username and password to anyone and they can use it... with a cert wouldnt he just give his username + password + certificate.... what i am saying is you cant exactly give anyone your ip range without proxying and going through a whole process with a certificate wont it just be about giving someone that cert?

i dont know too much about this just the basics... but please tell me the old method of authentication will still be around if we want to enable it.

[tuff]

lol, i think your jumping to WAY toooooo many conclusions there

ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt

[darkone]

User needs username, password and certificate to login in ssl mode. Ip and ident checks are somehing that can be done using scripts/modules. I'd personally rather delete such user (it should be trivial to write a script that logs last N ips to eg. user database) - because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.

[darkone]

Quote:

Originally Posted by tuff

lol, i think your jumping to WAY toooooo many conclusions there

ofcourse therell still be username/passwords & ident@ip checking, wouldnt it break the ftpd rfc if there wasnt

No internal ident and ip checks are gone. Certficate based authentication is much safer and easier to administrate (eg. user can store his ftp client and certificates to memory stick, and use it anywhere he wants)

[ganymede]

yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....

How is the certificate based authentication going to work? i mean what protocol? how are clients going to communicate that certificate information to the server? what ftp clients support certificates.... dont say flashFXP(if it does) because not everyone wants to use flashfxp....

[ganymede]

oh and tuff as far as i recall he is breaking the FTP RFC or not?

[Harm]

Quote:

Originally Posted by ganymede

yeah but ip checks are nice because they in a way limit locations - well limit better than anything else.....

I hope we will still be able to use the Host.Rules file for that.

[zpr]

how can i put my avatar ? and what option should i on to view 'registered user' under forum nickname ?

i'm blind or user cp options are miss sth ?

*** How about you dont post this sort of question on a thread that has nothing to do with this topic?

[tuff]

Quote:

Originally Posted by darkone

because even with ip-check, you can't be certain that he isn't running a proxy to let other users to use his personal account.

id say its much harder to use a proxy to spoof a users ident@ip then it would be for someone in there office to pick up there `usb stick` and use that

[ganymede]

see i just think that with things like a usb stick... you leave it on your desk the guy can steal your info or whatever - its a matter of stealing the cert, with an IP address it really limits a person to one pc... i find this really disapointing - blocking users by IP address is critical... some FTP owners only want their users to login from specific locations. The certificate should replace the encryption format, and not IP blocking they kind of have different functions....

i agree with tuff stealing a cert.... much easier than impersonating an IP - a lot of ftp owners are not going to like this - this is kind of taking ioFTPD off the top of the list for FTPDs, guess we will see what everyone else thinks.

an idea though : i know you can store a whole bunch of information in those certs why not put a specific ip in there.... , not perfect but just a thought.

[ADDiCT]

If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.

[Harm]

The new user / group databases will accept custom fields so adding ident@ip checks won't be that hard.

Also stealing the certificate isn't enough to be able to log in, you need the password.

[bigbighd604]

Quote:

Originally Posted by ADDiCT

If the new io is anything like the old one, a simple script can deny a login when the remote IP doesn't match a certain list of allowed IPs / IP ranges, I don't think there is any reason to worry.

Yes,i agree with it. And if a script support a ip range such as xxx.xxx.xxx.xxx/xx is very good.The old io didn't support that format,so access control based on ip is something make me crazy

[EwarWoo]

Quote:

Originally Posted by Harm

Also stealing the certificate isn't enough to be able to log in, you need the password.

Well, if the whole idea is to have a memory stick with client and key so you can log in anywhere you would get the password as well as the key cos most people store password in site details for login in their ftp client.

1 option would be to tell users not to take their stuff on the road with 'em for security, however you cant be with all the users all the time, they will break that rule from time to time.

If a script comes out to support ip checking quickly and as easily as it works integrated not a problem. However if it doesn't I can see a lotta people fleeing back to Raiden. I certainly wont be upgrading to something that doesn't support IP checking, so I'm hoping current version carries on being supported until the script comes.

[PopWeasel]

Hrmf. I'm just wondering how people will generate certs for themselves, since I've not seen this done yet to date. Will there be a special program released to handle the job or will exporting certs be added to ftp clients so they maintain compatibility with new io. Also, when adding users..do they dcc/email you their physical cert or do they tell you their cert's fingerprint code....or? Just curious about how the new design will work.. I'm sure someone will do a public ident@ip script asap the new version is released for those who want to continue using that method of security so there shouldn't be any worries. But I think the new certs based security is interesting enough to give it a try, we just need a little info on how it will work with adding users.