On Fri, 22 Mar 2002 09:09:31 -0600 (CST), "Robert Hood, Ph.D." <rhood@mtsu.edu> wrote:
and to use sftp and ssh for access.
That makes sense.
I currently sometimes ftp things to zope. I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
The risk is that your zope password is transmitted in the clear across your network. I dont think their requests is unreasonable. Anyone with physical access to your network can break into your zope server. If you accidentally type a password for a different system into the zope ftp prompt, then that can break into that other system too. The same is true of authentication over http too; I guess this hasnt hit your security people's radar yet.
Suggestions appreciated.
Use a secure method to copy files across the network onto the zope machine; scp is ok, but a network filesystem may be easier. Then use ssh to log on to that machine, and use a local ftp to transfer things into zope. There is no security problem with ftp that does not cross a network. Toby Dickenson tdickenson@geminidataloggers.com