Solved

Change Password on FTP Server?

Posted on 2009-06-29
10
468 Views
Last Modified: 2013-12-17
Is it possible programmatically change a User's FTP password on the server?

Scenario:  We had a SAS 70 audit recently, and they mentioned one of the features they would like to see is for our customers to be required to change their FTP password every 30 days, and have the ability to change it themselves.  Currently, we set the passwords internally, and then let our customers know what they are.  

Is there a way to do that?  Is it possible?

Thanks.
0
Comment
Question by:VBRocks
  • 6
  • 4
10 Comments
 
LVL 39

Expert Comment

by:abel
ID: 24738289
I'm a bit surprised that SAS let's you keep your FTP server.... Unless you use SFTP, FTPS or SCP, the FTP protocol is very insecure. Passwords are send as plaintext and it only takes a little sniffing around to gain access to an FTP site.

On your request: the FTP protocol itself does not have a way of changing the password. The reason is simple, it would allow an attacker to possibly change the password of a user or the administrator, banning access for that user. In most cases, the FTP users are maintained by the FTP server. In Windows, if you use the FTP server for IIS, it is connected with windows usernames (AD), which is just the more a reason not to use it, as it opens a large hole in your windows security. But, AD can be programmed and users can be changed (but I'm no AD expert).

In other cases, like with WS_FTP server or FileZilla Server the server has a different approach and stores the passwords encrypted in its own user db. Whether these are accessible I don't know, though I remember from FileZilla that it has a programmable interface.

As an alternative approach, you can allow users to place a file with a new password in a special directory (encrypted, I hope), which can be read by the server (monitoring that directory is all it takes). You can automate this with some simple tool on server and client side, but it is not an ideal solution.

-- Abel --
0
 
LVL 39

Expert Comment

by:abel
ID: 24738408
PS: a list of available FTP commands is here: http://www.nsftools.com/tips/RawFTP.htm, so you can check for yourself that something like ChancePassword command does not exist.

If you implement your own FTP server or if you have access to the sources of an FTP server, nothing stops you from adding such commands. But look above on security why that's probably not what you want in the long run....
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738436
Ok, thanks abel.  Let me research it a little more.

We are using FTPS/HTTPS, by the way.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 39

Expert Comment

by:abel
ID: 24738672
Ah, that's hugely different (FTPS instead of FTP, I mean). If you need help with a chosen path, let me know :)
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738719
Well, I've actually already written a windows application that is comparable to File Zilla / WS_FTP, although it's not completely finished.  It is working very nice though.  It uses both FTPS and HTTPS to access my company's (WebDAV) server.

The SAS audit we just had last week, and their recommendation for user password changing got me researching it...

Thanks for your help.
0
 
LVL 39

Expert Comment

by:abel
ID: 24738720
Btw, here's an FTP server that supports changing the password of a user. It recognizes it as an extension and not a standard to the protocol. You may consult the documentation of your ftp server in case it supports something similar: http://wiki.builtbp.com/index.php/Change_Password_Remotely
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739486
abel - How could we go about adding a custom command to our FTP server?

0
 
LVL 39

Expert Comment

by:abel
ID: 24739503
Well, that highly depends on what FTP server you are using and not all of them allow it (which is why I mentioned the workaround with the file). You said you were building one yourself, in which case you have full control, but you aren't using your own implementation yet, correct? (and you should be aware that building a fully fledged FTP server is quite some years work, though the basics are easy).

Can you update with what FTP server you are using?
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739540
Windows Server 2008 / IIS 7.
0
 
LVL 39

Accepted Solution

by:
abel earned 500 total points
ID: 24739658
I'm afraid that IIS does not support creating custom commands in version 7. However, if you can upgrade to the new version 7.5 (only for Windows 2008) you may have some possibilities. I haven't tried this myself, but here are a few guidelines on how to extend FTP 7.5: http://learn.iis.net/page.aspx/590/developing-for-ftp-75/

Alternatively, if you care going to another FTP server, you can consider GlobalScape, which supports hand-written commands natively and easily: http://help.globalscape.com/help/secureserver2/Custom_command_example.htm

I'm sorry that a seemingly simple request is not that simple to solve ... ;-)

-- Abel --
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question