Use of FTP is deprecated, server guide should point to SFTP

Reported by Lars Noodén on 2012-01-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Undecided
Unassigned

Bug Description

The page for FTP on 10.10
https://help.ubuntu.com/10.10/serverguide/C/ftp-server.html
should have a mention of SFTP at the very top and point the users to a page, or contain a paragraph at the start, on setting up SFTP (which consists only of installing the package 'openssh-server')

There is a very fine page on setting up FTP for Ubuntu, but it is out of date by failing to mention SFTP. Lots of users are finding the FTP guide and struggling through the old instructions to get the FTP server configured and turning to the Forums for help, when actually SFTP would be easier and more appropriate. FTP is both difficult and insecure. By following the guide, the users are making their systems vulnerable. Users, especially novices, should be steered to SFTP instead. See these links for more discussion:
http://blog.jdpfu.com/2011/07/10/why-you-need-to-stop-using-ftp
http://olex.openlogic.com/wazi/2011/stop-using-ftp-how-to-transfer-files-securely/

For clients, there are SFTP clients built into Nautilus, Dolphin and FileZilla, to name just three. As far as I can tell even Kate has SFTP support.

visibility: private → public
Jeremy Bicha (jbicha) on 2012-01-06
security vulnerability: yes → no
Jeremy Bicha (jbicha) wrote :

This is not a security vulnerability and FTP is not deprecated. FTP is still very useful as a means to transfer files to anonymous users (instead of just HTTP) See ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/ for example.

On the other hand, I agree that SFTP should be discussed in the server guide. You're welcome to try writing a guide to setting up SFTP which could be included in the 12.04 edition.

Lars Noodén (larsnooden) wrote :

Right. I'm not talking about Anonymous FTP, which is still useful. I am talking about setting up FTP paired with regular shell accounts. That's where the security vulnerability comes in and transmitting login credentials unencrypted is a security vulnerability even if the same also goes for the data.

I haven't tagged the questions on the Forums for retrieval, but about every 2 or 3 days there is a user who is setting up FTP for login using the system usernames/passwords. From time to time I ask how they got fixated on FTP and the answer is usually the 10.10 server guide. So this report is a request to add a line or two to the old guide because it is steering beginners wrong.

So let's fix the 10.10 guide with a line or two pointing to SFTP.

That said, I can contribute to the 12.04. Please point me to the wiki where it is being drafted.

Jeremy Bicha (jbicha) wrote :

The code for the development version of the server guide is located at https://code.launchpad.net/~ubuntu-core-doc/serverguide

For the website, the code is at https://code.launchpad.net/~ubuntu-core-doc/ubuntu-docs/help.ubuntu.com Ubuntu policy is that the development release needs to be fixed first so do that before working on already released versions.

There is some documentation about how the Docs Team works at https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation If you need more help, you can also ask on the mailing list: <email address hidden>

Changed in ubuntu-docs (Ubuntu):
importance: Undecided → Medium
affects: ubuntu-docs (Ubuntu) → serverguide
Changed in serverguide:
importance: Medium → Undecided
Doug Smythies (dsmythies) wrote :

See the linked MP on the FTP section. Segments of the larger Lars Merge Proposal were split out into smaller Merge proposals for the 12.04 serverguide. However not all of the original ftp section was included.
As the Merge Proposal was aceepted, I am setting this bug to "fix commited", and intend to set it to "fix released" at the proper time. Feel free to debate otherwise.

Changed in serverguide:
status: New → Fix Committed
Changed in serverguide:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers