Solved

Change Password on FTP Server?

Posted on 2009-06-29
10
466 Views
Last Modified: 2013-12-17
Is it possible programmatically change a User's FTP password on the server?

Scenario:  We had a SAS 70 audit recently, and they mentioned one of the features they would like to see is for our customers to be required to change their FTP password every 30 days, and have the ability to change it themselves.  Currently, we set the passwords internally, and then let our customers know what they are.  

Is there a way to do that?  Is it possible?

Thanks.
0
Comment
Question by:VBRocks
  • 6
  • 4
10 Comments
 
LVL 39

Expert Comment

by:abel
ID: 24738289
I'm a bit surprised that SAS let's you keep your FTP server.... Unless you use SFTP, FTPS or SCP, the FTP protocol is very insecure. Passwords are send as plaintext and it only takes a little sniffing around to gain access to an FTP site.

On your request: the FTP protocol itself does not have a way of changing the password. The reason is simple, it would allow an attacker to possibly change the password of a user or the administrator, banning access for that user. In most cases, the FTP users are maintained by the FTP server. In Windows, if you use the FTP server for IIS, it is connected with windows usernames (AD), which is just the more a reason not to use it, as it opens a large hole in your windows security. But, AD can be programmed and users can be changed (but I'm no AD expert).

In other cases, like with WS_FTP server or FileZilla Server the server has a different approach and stores the passwords encrypted in its own user db. Whether these are accessible I don't know, though I remember from FileZilla that it has a programmable interface.

As an alternative approach, you can allow users to place a file with a new password in a special directory (encrypted, I hope), which can be read by the server (monitoring that directory is all it takes). You can automate this with some simple tool on server and client side, but it is not an ideal solution.

-- Abel --
0
 
LVL 39

Expert Comment

by:abel
ID: 24738408
PS: a list of available FTP commands is here: http://www.nsftools.com/tips/RawFTP.htm, so you can check for yourself that something like ChancePassword command does not exist.

If you implement your own FTP server or if you have access to the sources of an FTP server, nothing stops you from adding such commands. But look above on security why that's probably not what you want in the long run....
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738436
Ok, thanks abel.  Let me research it a little more.

We are using FTPS/HTTPS, by the way.
0
 
LVL 39

Expert Comment

by:abel
ID: 24738672
Ah, that's hugely different (FTPS instead of FTP, I mean). If you need help with a chosen path, let me know :)
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738719
Well, I've actually already written a windows application that is comparable to File Zilla / WS_FTP, although it's not completely finished.  It is working very nice though.  It uses both FTPS and HTTPS to access my company's (WebDAV) server.

The SAS audit we just had last week, and their recommendation for user password changing got me researching it...

Thanks for your help.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 39

Expert Comment

by:abel
ID: 24738720
Btw, here's an FTP server that supports changing the password of a user. It recognizes it as an extension and not a standard to the protocol. You may consult the documentation of your ftp server in case it supports something similar: http://wiki.builtbp.com/index.php/Change_Password_Remotely
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739486
abel - How could we go about adding a custom command to our FTP server?

0
 
LVL 39

Expert Comment

by:abel
ID: 24739503
Well, that highly depends on what FTP server you are using and not all of them allow it (which is why I mentioned the workaround with the file). You said you were building one yourself, in which case you have full control, but you aren't using your own implementation yet, correct? (and you should be aware that building a fully fledged FTP server is quite some years work, though the basics are easy).

Can you update with what FTP server you are using?
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739540
Windows Server 2008 / IIS 7.
0
 
LVL 39

Accepted Solution

by:
abel earned 500 total points
ID: 24739658
I'm afraid that IIS does not support creating custom commands in version 7. However, if you can upgrade to the new version 7.5 (only for Windows 2008) you may have some possibilities. I haven't tried this myself, but here are a few guidelines on how to extend FTP 7.5: http://learn.iis.net/page.aspx/590/developing-for-ftp-75/

Alternatively, if you care going to another FTP server, you can consider GlobalScape, which supports hand-written commands natively and easily: http://help.globalscape.com/help/secureserver2/Custom_command_example.htm

I'm sorry that a seemingly simple request is not that simple to solve ... ;-)

-- Abel --
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now