Ubuntu Server Guide

Use of FTP is deprecated, server guide should point to SFTP

Bug #912796 reported by Lars Noodén
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Fix Released
Undecided
Unassigned

Bug Description

The page for FTP on 10.10
https://help.ubuntu.com/10.10/serverguide/C/ftp-server.html
should have a mention of SFTP at the very top and point the users to a page, or contain a paragraph at the start, on setting up SFTP (which consists only of installing the package 'openssh-server')

There is a very fine page on setting up FTP for Ubuntu, but it is out of date by failing to mention SFTP. Lots of users are finding the FTP guide and struggling through the old instructions to get the FTP server configured and turning to the Forums for help, when actually SFTP would be easier and more appropriate. FTP is both difficult and insecure. By following the guide, the users are making their systems vulnerable. Users, especially novices, should be steered to SFTP instead. See these links for more discussion:
http://blog.jdpfu.com/2011/07/10/why-you-need-to-stop-using-ftp
http://olex.openlogic.com/wazi/2011/stop-using-ftp-how-to-transfer-files-securely/

For clients, there are SFTP clients built into Nautilus, Dolphin and FileZilla, to name just three. As far as I can tell even Kate has SFTP support.

Related branches

lp:~larsnooden/serverguide/serverguide-review-6.1
Peter Matulis: Disapprove
Doug Smythies: Needs Fixing
Diff: 661 lines (+264/-117) (has conflicts)
9 files modified
libs/global.ent (+14/-0)
libs/legalnotice.xml (+5/-0)
libs/ubuntu-banner.xsl (+1/-1)
serverguide/C/backups.xml (+6/-0)
serverguide/C/file-server.xml (+55/-27)
serverguide/C/network-config.xml (+13/-7)
serverguide/C/remote-administration.xml (+113/-60)
serverguide/C/web-servers.xml (+56/-21)
serverguide/C/windows-networking.xml (+1/-1)
Jim Campbell (community): Needs Fixing
Diff: 650 lines (+254/-126)
9 files modified
libs/C/legalnotice.xml (+1/-1)
libs/global.ent (+8/-8)
libs/ubuntu-banner.xsl (+1/-1)
serverguide/C/backups.xml (+6/-0)
serverguide/C/file-server.xml (+55/-27)
serverguide/C/network-config.xml (+13/-7)
serverguide/C/remote-administration.xml (+113/-60)
serverguide/C/web-servers.xml (+56/-21)
serverguide/C/windows-networking.xml (+1/-1)
lp:~dsmythies/serverguide/serverguide-ftp
Peter Matulis: Approve
Diff: 97 lines (+35/-25)
1 file modified
serverguide/C/file-server.xml (+35/-25)
Lars Noodén (larsnooden)
visibility: private → public
Jeremy Bícha (jbicha)
security vulnerability: yes → no
Revision history for this message
Jeremy Bícha (jbicha) wrote :

This is not a security vulnerability and FTP is not deprecated. FTP is still very useful as a means to transfer files to anonymous users (instead of just HTTP) See ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/ for example.

On the other hand, I agree that SFTP should be discussed in the server guide. You're welcome to try writing a guide to setting up SFTP which could be included in the 12.04 edition.

Revision history for this message
Lars Noodén (larsnooden) wrote :

Right. I'm not talking about Anonymous FTP, which is still useful. I am talking about setting up FTP paired with regular shell accounts. That's where the security vulnerability comes in and transmitting login credentials unencrypted is a security vulnerability even if the same also goes for the data.

I haven't tagged the questions on the Forums for retrieval, but about every 2 or 3 days there is a user who is setting up FTP for login using the system usernames/passwords. From time to time I ask how they got fixated on FTP and the answer is usually the 10.10 server guide. So this report is a request to add a line or two to the old guide because it is steering beginners wrong.

So let's fix the 10.10 guide with a line or two pointing to SFTP.

That said, I can contribute to the 12.04. Please point me to the wiki where it is being drafted.

Revision history for this message
Peter Matulis (petermatulis) wrote :

@Lars

Start here:

https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation/UbuntuServerGuide

Revision history for this message
Jeremy Bícha (jbicha) wrote :

The code for the development version of the server guide is located at https://code.launchpad.net/~ubuntu-core-doc/serverguide

For the website, the code is at https://code.launchpad.net/~ubuntu-core-doc/ubuntu-docs/help.ubuntu.com Ubuntu policy is that the development release needs to be fixed first so do that before working on already released versions.

There is some documentation about how the Docs Team works at https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation If you need more help, you can also ask on the mailing list: <email address hidden>

Changed in ubuntu-docs (Ubuntu):
importance: Undecided → Medium
Peter Matulis (petermatulis)
affects: ubuntu-docs (Ubuntu) → serverguide
Changed in serverguide:
importance: Medium → Undecided
Revision history for this message
Doug Smythies (dsmythies) wrote :

See the linked MP on the FTP section. Segments of the larger Lars Merge Proposal were split out into smaller Merge proposals for the 12.04 serverguide. However not all of the original ftp section was included.
As the Merge Proposal was aceepted, I am setting this bug to "fix commited", and intend to set it to "fix released" at the proper time. Feel free to debate otherwise.

Changed in serverguide:
status: New → Fix Committed
Doug Smythies (dsmythies)
Changed in serverguide:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.