On Thu, Jun 28, 2012 at 04:24:43PM -0300, francis picabia wrote: > On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson > <s...@rasmussenequipment.com> wrote: > > > > > Please remember that FTP by nature is insecure. All it would take is > > for someone to packet sniff the connection and they would have the > > user name and password to the account as they are transmitted in plain > > text. > > Yes, this is all correct. However filezilla does sftp as well and > SFTP session passwords are also saved in this plain text file as > a human readable password. That typically translates to SSH access. > True, but you can restrict certain users to SFTP access only. I do that, and I only allow SSH access with public key authentication.
> In case this is lost on anyone, we are NOT talking about sniffing, but > drive by malware reading a plain text file on the client OS containing > the password. > Even if you do not check the box for saving the password, the most > recent entered password is saved there. > I notice that GFTP, for example, does not seem to save any passwords unless you 1) create a bookmark for the connection, and 2) check the "Remember Password" box. That seems like a sensible way to do it, but you will still be at risk with an unsavy user and/or malware on the machine. Malware can be in the form of a key logger, which will get anything you type. Unsavy users will typically check a box in the name of convenience, and give little thought to the security implications. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120629020026.gc5...@aurora.owens.net
