Re: IAFA WG minutes

Kurt Jaeger aka PI <Kurt.Jaeger@rus.uni-stuttgart.de> Sun, 09 August 1992 12:27 UTC

From: Kurt Jaeger aka PI <Kurt.Jaeger@rus.uni-stuttgart.de>
Message-Id: <9208081758.AA07105@helpdesk.rus.uni-stuttgart.de>
Subject: Re: IAFA WG minutes
To: iafa@cc.mcgill.ca, ietf-ftpext@ucdavis.edu
Date: Sat, 08 Aug 1992 19:58:36 -0700
In-Reply-To: <9208080513.AA28409@expresso.cc.mcgill.ca>; from "Peter Deutsch" at Aug 8, 92 5:13 am
Reply-To: PI <pi@helpdesk.rus.uni-stuttgart.de>

Hi!

> 11) In discussing the section on security, it was pointed out that a
>     number of sites continue to run anonymous FTP archives to exchange
>     non-public information. Such sites function without password
>     protection and the information so stored is publicly available via
>     the standard anonymous FTP login procedure. It was agreed that a
>     strengthened section on security would specifically warn against this
>     practice, as it constitutes a form of "security through obscurity"
>     that is not endorsed and which has already been shown to be
>     problematic in practice.

To solve those kind of problems, I sat down a few days ago and patched
the wuarchive ftpd to allow the use of the special login "pin" (should
have been TAN for transaction number, but what the heck). Combined
with a one-time password, users are allowed into a special directory
containing exactly the stuff they are allowed to get.

Once the authorization is done, the uniq pin is invalidated in the
pin file. A sample session looks like this:

------snap------

nn$ ./ftp localhost
Connected to loopback.
220 rusmv1 FTP server (Version 6.15 Sat Aug 8 19:43:37 MET DST 1992) ready.
Name (localhost:zrzr0111): pin
332 PIN login ok, send PIN as password.
Password:
230 PIN login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 5
drwxr-xr-x  5 infoadm  111           512 Jul 31 16:32 .
drwxr-xr-x  5 infoadm  111           512 Jul 31 16:32 ..
drwxr-xr-x  2 infoadm  111           512 Jul 31 16:34 bin
drwxr-xr-x  2 infoadm  111           512 Jul 31 16:32 etc
drwxr-xr-x  2 infoadm  111           512 Jul 31 16:32 pub
226 Transfer complete.
ftp> quit
221 Goodbye.

------snap------

The patch is available on the site ftp.uni-stuttgart.de [129.69.1.12]
in the directory soft/kommunikation/news/ftpd as file ftpd.pin.patch.

A example set up can be seen in soft/kommunikation/news/tmp/ftpd (with
the pins and packages file). The pin ftpd is running on
ftp.uni-stuttgart.de on port 1550 (instead of the standard port 21).

This methode is *very* useful if You have to distribute commercial
software for campus licenses and no (wo)man power to handle the
paper works. Just issue simple PINs for the licensees and let
them ftp the stuff.

It is for test purposes, only. As I said, nothing very official etc,
but highly useable. If anyone is interested, I'll clean it up and
submit it to the official holders of the source 8)

Maybe this is an idea for ietf-ftpext@ucdavis.edu, too ?

		So long, PI

-- 
PI at the User Help Desk Comp.Center U of Stuttgart, FRG      28 Years to go ! 
SMTP: pi@rus.uni-stuttgart.de    Phone: +49 711 685-4828
X.400: pi@rus.uni-stuttgart.dbp.de
Bitnet: zrzr0111@ds0rus54.bitnet       (aka Kurt Jaeger)

Re: IAFA WG minutes Peter Deutsch
Re: IAFA WG minutes Alan Emtage
Re: IAFA WG minutes Kurt Jaeger aka PI