Bug#311339: harden-servers conflicts vsftpd, which now has ssl support

Ola Lundqvist Sun, 29 Jan 2006 02:03:02 -0800

tags 311339 + wontfix
severity 311339 wishlist
thanks

Hello


I have decided to make this as a wishlist bug and not to correct it.
The reason is that it is insecure by default.

I installed it and it only listen to the ftp port by default and
also accept anonymous login by default.

[EMAIL PROTECTED]:~# lsof -i | grep vs
vsftpd    8507        root    3u  IPv4 3949040       TCP *:ftp (LISTEN)

[EMAIL PROTECTED]:~$ ncftp localhost
NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 127.0.0.1...                                                      
(vsFTPd 2.0.3)
Logging in...                                                                   
Login successful.
Logged in to localhost.                                                         
ncftp / > 

So I will not remove that until it have better defaults.

Regards,

// Ola

On Tue, May 31, 2005 at 01:41:38PM +0300, Vassil Dichev wrote:
> Package: harden-servers
> Version: 0.1.17
> 
> Meta-package harden-servers conflicts package vsftpd. Since version >=2, 
> vsftpd now supports ssl, so passwords are no more sent in cleartext form.
> 
> Package harden-servers doesn't conflict the ftpd-ssl because of this same 
> reason, so now harden-servers should accept vsftpd as a possible secure ftp 
> alternative. Furthermore, vsftpd has features which the ftpd-ssl daemon 
> doesn't support since it's just a netkit ftp: different ways to 
> enforce/restrict anonymous users, chroot environments, built-in commands 
> (like "ls"). Thus, harden-servers implies that ftpd-ssl is more secure than 
> vsftpd, which is currently probably not true.
> 
> The fix should be trivial (conflict vsftpd less than version 2), but 
> unfortunately too late to get into sarge, I guess :( Still, it's nothing a 
> knowledgeable sysadmin can live without.
> 
> Best Regards,
> Vassil Dichev
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE! 
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  [EMAIL PROTECTED]                     Annebergsslingan 37      \
|  [EMAIL PROTECTED]                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#311339: harden-servers conflicts vsftpd, which now has ssl support

Reply via email to