FTP Control Connection Establishment, User Authentication and Anonymous FTP Access
(Page 2 of 3)
FTP Login Sequence and Authentication
FTPs regular authentication scheme is quite rudimentary: it is a simple username / password login scheme, shown in Figure 289. Most of us are familiar with this type of authentication for various types of access, on the Internet and elsewhere. First, the user is identified by sending a user name from the User-PI to the Server-PI using the USER command. Then, the user's password is sent using the PASS command.
The server checks the user name and password against its user database, to verify that the connecting user has valid authority to access the server. If the information is valid, the server sends back a greeting to the client to indicate that the session is opened. If the user improperly authenticates (by specifying an incorrect user name or password), the server will request that the user attempt authorization again. After a number of invalid authorization tries, the server may time out and terminate the connection.
Assuming that the authentication succeeds, the server then sets up the connection to allow the type of access to which the user is authorized. Some users may have access to only certain files or certain types of files. Some servers may allow particular users to read and write files on the server, while other users may only retrieve files. The administrator can thus tailor FTP access as needed.
Once the connection is established, the server can also make resource selection decisions based on the user's identity. For example, on a system with multiple users, the administrator can set up FTP so that when any user connects, he or she automatically is taken to his or her own home directory. The optional ACCT (account) command also allows a user to select a particular account if he or she has more than one.
Like most older protocols, the simple login scheme used by FTP is a legacy of the relatively closed nature of the early Internet. It is not considered secure by today's global Internet standards, because the user name and password are sent across the control connection in clear text. This makes it relatively easy for login information to be intercepted by intermediate systems and accounts to be compromised. RFC 2228, FTP Security Extensions, defines more sophisticated authentication and encryption options for those who need added security in their FTP software.
Home - Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.