What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?

I have seen a couple of different encryption types for ftp connections:

TLS
SSL
SFTP
SSH

Ok, provided an ftp server offers all these types: which type should I choose
to setup the ftp server or to select from the ftp clients view ?

Is the security for all these types similar and the difference refers only different protocols?

What are the pros and cons ?

Marcus

"Marcus Mender" <mmmm@buzz.com> wrote in message
news:4585316a$0$27617$9b4e6d93@newsspool2.arcor-online.net...
>I have seen a couple of different encryption types for ftp connections:
>
> TLS
> SSL

TLS and SSL are two versions of the same protocol (SSL comes in versions 2.0
and 3.0, TLS comes in versions 1.0 and 1.1 - TLS 1.0 is SSL 3.1).

FTP has been extended by a standard that describes the operation of FTP over
SSL and TLS. This extension is commonly known as FTPS. It's a relatively
obvious means of adding security to FTP.

> SFTP
> SSH

These are nothing to do with FTP.

SSH stands for "Secure SHell" - as such, it establishes a secured connection
for a logon shell. Unless your FTP users are significantly trusted, you
don't want them running commands on your system, so you won't want them
connecting to SSH. Same for SFTP, which is simply a file transfer mechanism
added on top of SSH (i.e. you need SSH in order to implement SFTP - so SFTP
users are SSH users and can log on and issue commands)

> Ok, provided an ftp server offers all these types: which type should I
> choose
> to setup the ftp server or to select from the ftp clients view ?
>
> Is the security for all these types similar and the difference refers only
> different protocols?

The encryption and authentication schemes will be similar - the security is
not, because FTPS (FTP over TLS and SSL) allows only for usual FTP
activities (generally, this is file transfer), whereas SFTP and SSH allow
for the user to execute commands that will run on the server.

> What are the pros and cons ?

FTPS allows transfer of files; SFTP / SSH allow transfer of files and
execution of commands through a protocol whose primary designed purpose is
to execute commands on the server.

If you're looking to allow your users to execute commands, go with SSH /
SFTP; if you only want them to be able to transfer files, choose the
protocol (FTPS) that is designed to allow just that.

Alun.
~~~~

>>>>> "AJ" == Alun Jones <alun@texis.invalid> writes:

AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
AJ> connection for a logon shell. Unless your FTP users are
AJ> significantly trusted, you don't want them running commands on
AJ> your system, so you won't want them connecting to SSH. Same for
AJ> SFTP, which is simply a file transfer mechanism added on top of
AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
AJ> are SSH users and can log on and issue commands)

This is not necessarily true. sftp uses an SSH subsystem to start the
sftp server. Some SSH servers allow you to specify that certain users may
only initiate subsystems and not exec or shell channels. Even in those
that don't, you can make the account shell something which will only run
sftp-server.

--
Richard Silverman
res@qoxp.net

"Richard E. Silverman" <res@qoxp.net> wrote in message
news:m2zm9iq7dy.fsf@darwin.oankali.net...
>>>>>> "AJ" == Alun Jones <alun@texis.invalid> writes:
>
> AJ> SSH stands for "Secure SHell" - as such, it establishes a secured
> AJ> connection for a logon shell. Unless your FTP users are
> AJ> significantly trusted, you don't want them running commands on
> AJ> your system, so you won't want them connecting to SSH. Same for
> AJ> SFTP, which is simply a file transfer mechanism added on top of
> AJ> SSH (i.e. you need SSH in order to implement SFTP - so SFTP users
> AJ> are SSH users and can log on and issue commands)
>
> This is not necessarily true. sftp uses an SSH subsystem to start the
> sftp server. Some SSH servers allow you to specify that certain users may
> only initiate subsystems and not exec or shell channels. Even in those
> that don't, you can make the account shell something which will only run
> sftp-server.

Thanks for the correction.

I'm still inclined to suggest that if you don't want to provide shell
access, it's more secure to rely on software that doesn't have shell access
as a feature, than to rely on one that can be configured not to provide it.

Alun.
~~~~