|
Posted by Sebastian G. on December 17, 2007, 1:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Unruh wrote:
>> SSL. SSH/SFTP only protects the data transfer channel, not the command
channel.
>
> No idea what you are talking about. ssh encrypts everything passing between
> the two computers.
We're talking about SFTP, which is a variant how to use SSH to secure the
FTP protocol. In the SFTP setup, the protection by SSH is only applied to
the data transfer channel.
|
|
Posted by Flash Gordon on December 17, 2007, 3:45 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Sebastian G. wrote, On 17/12/07 18:34:
> Unruh wrote:
>
>>> SSL. SSH/SFTP only protects the data transfer channel, not the
>>> command channel.
>>
>> No idea what you are talking about. ssh encrypts everything passing
>> between
>> the two computers.
>
>
> We're talking about SFTP, which is a variant how to use SSH to secure
> the FTP protocol. In the SFTP setup, the protection by SSH is only
> applied to the data transfer channel.
No, sftp is nothing to do with the ftp protocol.
--
Flash Gordon
|
|
Posted by Gerald Vogt on December 17, 2007, 5:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Unruh wrote:
> >> SSL. SSH/SFTP only protects the data transfer channel, not the command
channel.
>
> > No idea what you are talking about. ssh encrypts everything passing between
> > the two computers.
>
> We're talking about SFTP, which is a variant how to use SSH to secure the
> FTP protocol. In the SFTP setup, the protection by SSH is only applied to
> the data transfer channel.
Do you have any URL to some documentation of this "SFTP" protocol? I
have just checked with my ssh sftp client and a network sniffer: There
is nothing transferred unencrypted. Everything goes through the SSH
tunnel. So maybe different people called different protocols SFTP at
times. However, I have never heard of an FTP protocol which encrypts
only the data traffic and not the command channel. It would be good if
you provided some link. That would be interesting.
We have to find out what "SSH/SFTP" in Core FTP really does. But the
label to me says it does what the ssh sftp client does which is not
what you wrote.
Gerald
|
|
Posted by Sebastian G. on December 17, 2007, 6:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> Unruh wrote:
>>>> SSL. SSH/SFTP only protects the data transfer channel, not the command
channel.
>>> No idea what you are talking about. ssh encrypts everything passing between
>>> the two computers.
>> We're talking about SFTP, which is a variant how to use SSH to secure the
>> FTP protocol. In the SFTP setup, the protection by SSH is only applied to
>> the data transfer channel.
>
> Do you have any URL to some documentation of this "SFTP" protocol?
<http://en.wikipedia.org/wiki/File_Transfer_Protocol#FTP_over_SSH>
Oh, and while we're at it:
<http://en.wikipedia.org/wiki/FTPS>, which discussed the difference between
implicit and explicit SSL mode on FTP-SSL.
|
|
Posted by Gerald Vogt on December 17, 2007, 7:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Gerald Vogt wrote:
> >> Unruh wrote:
> >>>> SSL. SSH/SFTP only protects the data transfer channel, not the command
channel.
> >>> No idea what you are talking about. ssh encrypts everything passing between
> >>> the two computers.
> >> We're talking about SFTP, which is a variant how to use SSH to secure the
> >> FTP protocol. In the SFTP setup, the protection by SSH is only applied to
> >> the data transfer channel.
>
> > Do you have any URL to some documentation of this "SFTP" protocol?
>
> <http://en.wikipedia.org/wiki/File_Transfer_Protocol#FTP_over_SSH>
This paragraph is titled "FTP over SSH" and not "SFTP". And it also
says:
"FTP over SSH is sometimes referred to as secure FTP; this should not
be confused with other methods of securing FTP, such as with SSL/TLS
(FTPS). Other methods of transferring files using SSH that are not
related to FTP include SFTP and SCP; in each of these, the entire
conversation (credentials and data) is always protected by the SSH
protocol."
SFTP is something else. It protects the "entire" conversation. Nowhere
in this wikipedia article I find information that suggests "SSH/SFTP"
or "SFTP" is this "FTP over SSH" mentioned in the article.
Moreover, "FTP over SSH" is the protection of the command channel. You
simply tunnel port 21 to the server. The return channel (i.e. the data
channel) remains unprotected. This is in contrast to your former
statement
"SSL encrypts and authenticates both command and data channel, SSH/
SFTP only the latter."
Summarizing the wikipedia article:
* FTP over SSH aka Secure FTP protects only the command channel. Not
the data channel.
* FTPS aka FTP over SSL is something different and protects the whole
conversation.
* SFTP is something different and protects the whole conversation.
There is no information which says that SSH/SFTP or SFTP is what you
claim it is nor that it is unsecure nor that any data is sent
unencrypted.
It looks to me as if you write about FTP over SSH. This was nowhere
mentioned. SSH/SFTP was mentioned in the OP. But that is something
completely different unless you have evidence the Core FTP does "FTP
over SSH" for what is calls "SSH/SFTP".
> Oh, and while we're at it:
> <http://en.wikipedia.org/wiki/FTPS>, which discussed the difference between
> implicit and explicit SSL mode on FTP-SSL.
That one says "FTP over SSH (no acronym)" and otherwise says nothing
about it or SFTP.
Thus, so far both protocols in the OP - SSH/SFTP and AUTH SSL - are
secure, don't transmit unencrypted data. They are both something
completely different as the former uses a different protocol from the
latter. Only the latter is derived from FTP while the former uses its
own protocol which is not FTP.
This brings us back to the original question in the OP:
"In Core FTP, is it better to use AUTH SSL or SSH/SFTP?"
As your original answer applies to FTP over SSH and not to SSH/SFTP we
still have to discuss this issue. So far, I think both are secure.
Gerald
|
| Similar Threads | Posted | | Viewing/opening file sent by secure method | February 27, 2007, 2:31 pm |
| Safe zip/unzip and file split on secure Windows machine? | January 10, 2005, 2:04 pm |
| Transfer of data via handshake | July 20, 2006, 3:54 am |
| Organizations lose Confidential&Intellectual property through unauthorized data transfer | May 10, 2007, 4:47 pm |
| 'Hijack This' log file | May 7, 2004, 12:12 pm |
| Does MD5 include the file name? | September 12, 2006, 5:54 pm |
| Obscure file - siae3123.exe | May 22, 2004, 1:27 pm |
| snort file logging name | December 18, 2004, 5:31 am |
| the favourities file of Firefox | December 21, 2004, 4:39 pm |
| tcpdump file recovery | August 30, 2005, 9:11 am |
|
XML site map