quietly....

Matthew Huff mhuff at ox.com
Thu Feb 3 15:44:07 CST 2011


Oh, don't get me started on the confusion between FTP over SSH versus FTP over TLS/SSL let alone ftp over ssh versus sftp.
So many vendors and users use ftps or sftp indiscriminately to describe both and neither.

By sftp, I mean ftp over ssh (not tunnelled) as an alternate to scp. I would personally prefer scp to sftp, but that isn't what is being deployed by our peers.



> -----Original Message-----
> From: Randy Carpenter [mailto:rcarpen at network1.net]
> Sent: Thursday, February 03, 2011 4:32 PM
> To: Matthew Huff
> Cc: nanog at nanog.org; Valdis Kletnieks
> Subject: Re: quietly....
> 
> ----- Original Message -----
> > Well, since ssh is a straight up tcp socket protocol on a well know
> > port with no gimmicks needed like FTP, yeah, I would say it isn't a
> > hack. FTP over TLS/SSL is much worse. In some implementations you can
> > do an non-encrypted control channel and an encrypted data channel, so
> > that a SPI firewall can "hack" it through, but unfortunately a lot of
> > servers and/or clients won't negotiate that correctly and only allow
> > both type of channels to be encrypted which is not possible to pass
> > through a SPI firewall.
> >
> > There are two other sorta widely implemented secure file transfer
> > protocols, SCP and WebDav over TLS/SSL. Either works fine through a
> > SPI firewall, but the consensus for file transfer (at least over the
> > pub net) within the financial services community appears to be
> > converging to FTP over ssh.
> 
> Do you mean sftp, or ftp over an ssh tunnel?
> 
> -Randy



More information about the NANOG mailing list