[Zope] ssh (more)

Toby Dickenson tdickenson@geminidataloggers.com
Fri, 22 Mar 2002 15:54:40 +0000


On Fri, 22 Mar 2002 09:09:31 -0600 (CST), "Robert Hood, Ph.D."
<rhood@mtsu.edu> wrote:

> and to use sftp and ssh for
>access.

That makes sense.

>  I currently sometimes ftp things to zope.  I do not have any
>packages installed that give zope file system access, so I don't really
>think zope's ftp port would be a security hazard (and my own view is =
that
>my machine does not have any national security type stuff on it, so that
>this request may be going a bit far). =20

The risk is that your zope password is transmitted in the clear across
your network.

I dont think their requests is unreasonable. Anyone with physical
access to your network can break into your zope server. If you
accidentally type a password for a different system into the zope ftp
prompt, then that can break into that other system too.

The same is true of authentication over http too; I guess this hasnt
hit your security people's radar yet.

>Suggestions appreciated.

Use a secure method to copy files across the network onto the zope
machine; scp is ok, but a network filesystem may be easier. Then use
ssh to log on to that machine, and use a local ftp to transfer things
into zope. There is no security problem with ftp that does not cross a
network.



Toby Dickenson
tdickenson@geminidataloggers.com