[Zope] ssh (more)
Toby Dickenson
tdickenson@geminidataloggers.com
Fri, 22 Mar 2002 15:54:40 +0000
On Fri, 22 Mar 2002 09:09:31 -0600 (CST), "Robert Hood, Ph.D."
<rhood@mtsu.edu> wrote:
> and to use sftp and ssh for
>access.
That makes sense.
> I currently sometimes ftp things to zope. I do not have any
>packages installed that give zope file system access, so I don't really
>think zope's ftp port would be a security hazard (and my own view is =
that
>my machine does not have any national security type stuff on it, so that
>this request may be going a bit far). =20
The risk is that your zope password is transmitted in the clear across
your network.
I dont think their requests is unreasonable. Anyone with physical
access to your network can break into your zope server. If you
accidentally type a password for a different system into the zope ftp
prompt, then that can break into that other system too.
The same is true of authentication over http too; I guess this hasnt
hit your security people's radar yet.
>Suggestions appreciated.
Use a secure method to copy files across the network onto the zope
machine; scp is ok, but a network filesystem may be easier. Then use
ssh to log on to that machine, and use a local ftp to transfer things
into zope. There is no security problem with ftp that does not cross a
network.
Toby Dickenson
tdickenson@geminidataloggers.com