ftp security

FTP sends the password across in clear text. That would be a security issue. Sun doesn't have a version of SSH in Solaris 8, but OpenSSH has released its latest version and it works with Sol8.

You can get the compiled versions on sunfreeware.com.

Be careful though, If you have BSM enabled and you have Open SSH installed DO NOT load patch number 109007-21 or 109007-22 because it will BREAK your crontab and none of your cron jobs will work from that point on.

mlhardwicke at 2007-7-7 3:47:02 >

Of course I'll bet you got those passwords by snooping as root on the box where the ftpd was running.

Use of switches in networks these days make snooping from another machine much harder.

Not impossible of course, you can use techniques like arp flooding to overwhelm the arp table in the switch and drop it into promiscuous mode.

But quite a lot harder.

For all the mania about encrypted protocols, I suspect that network snooping is by far the rarest way the unauthorised access to data is obtained.

Getting access to a box by utilising a vulnerabilty like a buffer overflow in a service and then reading the data straight off the disk is likely to be far more prevalent.

Of course, thats not a reason not to run encrypted protocols.

But I suspect that running unencrypted protocols isnt quite the security risk its made out to be.

robertcohen at 2007-7-7 3:47:02 >

> Just to mess with your head. If I do ftp over IPSec

> is a clear text password still an issue?

1.) It's capitalized IPsec. ;)

2.) If you're using ESP with encryption, cleartext passwords are protected end-to-end by ESP's encryption. If you're using AH or ESP w/o encryption, though, a bad guy can still see your password.

Dan - Solaris IPsec developer

danmcd at 2007-7-7 3:47:02 >