On Fri, 17 Sep 2010, Michel van Deventer wrote: > > > > (another in an ongoing list of things i just want to clarify for the > > sake of future courses taught on centos.) > > > > from this RHEL doc page: > > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html > > > > the reader is advised to, for the sake of security, remove/disable > vsftpd, ostensibly in favour of sftp/sftp-server. really? > > > > i can obviously see disallowing stuff like telnet and rsh and > > rlogin, that's a no-brainer. but advising against vsftpd for the sake > of security? i'm not sure i see the logic in that. thoughts? > As FTP is a clear-text protocol, I would surely advise against > leaving it on :) I only run a vsftpd server on one of my machines > for the customers comfort, but that will change in the near future ! > > I can easily image scenarios where unencrypted traffic with > usernames/passwords is disallowed. but you can configure vsftpd to have secure connection: http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP) would that not address that issue? i'm not arguing against secure communications, only that that manual page so cavalierly dismisses vsftpd when it seems clear that you *can* configure vsftpd to be secure. rday -- ======================================================================== Robert P. J. Day Waterloo, Ontario, CANADA Top-notch, inexpensive online Linux/OSS/kernel courses http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ========================================================================