[Zope] Securing ftp access?

Paul Browning paul.browning@bristol.ac.uk
Fri, 27 Oct 2000 16:07:10 +0100 (GMT Daylight Time)


Our local CERT-type person mailed me the following and
I replied as follows. Could I have given a better answer?

> I notice that zope comes with an FTP server which, by default, runs on port
> 8021. There's one running on "stingray", as I write, which seems to accept 
> any and all combinations of usernames/passwords (valid or otherwise), 
> although *I* don't seem to be able to do/see anything with any of the ones
> I've tried. 

Hmmm. Hadn't noticed that before. Even if you disable the FTP Access
permission for the role Manager (as well as Anonymous) it's still
the same. But, as you note, you can't do very much.

> Anyway, that's an aside. What my question is is "how can this 
> service be used such that usernames/passwords are transmitted securely?"

Don't know. Does SSL (whether Zope is behind Apache or not) only apply
to http stuff? My understanding is that Zope incoporates the Medusa server.

There is a reference on the Medusa web page (http://www.nightmare.com/medusa/)
to "SSL and Medusa with STunnel". An exercise left for the ambitious reader?

Meanwhile I observe that if you set a Domains restriction for a
particular user (done via the acl_users Folder) it applies to
both ftp and http clients (and presumably WebDAV too) - though
at first it doesn't seem so via ftp because you can login, but
you can't actually do anything (just like Richard reports with
any username/password).

So, an imperfect answer to your question might be "disallow ftp
access from outside our local domain and then keep your fingers 
crossed".

TIA. Paul

--
 The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK
     E-mail: paul.browning@bris.ac.uk  URL: http://www.bris.ac.uk/