How to ensure passwords are not sent in clear text

vallelunga

2003-03-28 18:13:59

I probably should have posted this before buying our 10 or so licenses

My company needs to make sure that our passwords are not sent in clear text. We don't care about encrypting the data; just the password during the connection phase. Is Smart FTP capable of this or do I need to install something on our server.

We are using a Sun Cobalt RaQ3 server appliance which supposedly supports 56bit SSL and SSH.

Thanks,
John Vallelunga, Agilent Technologies

Louie

2003-03-28 18:51:46

SmartFTP does support SSL, and when connecting to the SSL enabled server, the password is encrypted at the front door.

So the answer to your question is "Yes". SmartFTP encrypts the password as it's being sent to the remote server.

mike808

2003-04-02 15:47:33

You will also need to be using an FTP server that uses SSL. There are two major ways this has been implemented.

One is called "implicit" SSL-enabled FTP. This works like HTTPS does, in that everyone assumes that all connections are always SSL-encrypted. It is usually assigned to run on port 900 (instead of 21 for control) and port 899 (instead of 20 for data).

The other, standardized way is called "explicit" SSL, and follows RFC 2228. It uses new FTP commands (e.g. AUTH TLS, PBSZ 0, and PROT P) to manage the encryption (SSL aka TLS).

SmartFTP can connect to either type of server.

The major task you have before you is getting your FTPS server running. An SSL-aware client like SmartFTP cannot magically "make" your server become SSL-aware. There are many servers to choose from and many of them are available for non-Microsoft servers as well.

See http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html for all of the options available to you.

Michael

Louie

2003-04-02 18:01:59

Thanks Mike, very nice explanation