[1579] in Kerberos_V5_Development
Re: ftpd should allow protection to be required
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Aug 14 23:05:18 1996
Date: Wed, 14 Aug 96 22:59:50 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: hartmans@MIT.EDU
Cc: krbdev@MIT.EDU
In-Reply-To: <tslu3u5lduh.fsf@tertius.mit.edu> (message from Sam Hartman on 14
Aug 1996 19:56:22 -0400)
I agree the option should be provided to require encryption; I'm not
convinced we want to support the behavior of the Athena hack.
Right. We agree.
Am I correct in my understanding that the command connection
starts with integrity turned on?
I found no mention of that in the man page, but it would certainly be
a good thing. I guess traffic analysis of ftp commands isn't
particularly important, although on the other hand encrypting them
would be cheap.
Why would it be wrong for ftp to accept an automated transfer
to lower security if the command connection had integrity?
Generally, because allowing a remote server to reduce the security of
connection silently and (perhaps) against the request of the user just
seems like a bad idea. Perhaps an attacker compromised the ftpd and
arranged for it always to reduce from private to safe; then the
attacker could watch the ftp traffic without actually having to be
logged in to the server and without requiring the server to off-load
data to the attacker (ie: detection might be harder). Unlikely,
perhaps, and if the attacker compromised ftpd probably he got the
service key too so it is all irrelevant. But I don't see a good
reason to allow it either.
The easy solution is to make encryption requirable and, if required
and not used, have ftpd just refuse the command.
Barry
