Support for SFTP - not just FTP which has security issues

[Forumtastic]

Great work on the forum software! Thank you so much for making this free.

I have one feature request. Due to security issues with FTP, we do not run FTP - only SFTP.

My request would be to allow the software to use SFTP also.

More and more people are moving away from FTP because it sends all user names and passwords (and data) in plain text across the internet. About half of all organizations (including a lot of ISPs) now use SFTP (or at least FTPS which is also technically different than FTP):
https://www.securityweek.com/should-organizations-retire-ftp-security
https://en.wikipedia.org/wiki/File_Transfer_Protocol

This makes it impossible for us to use the forum software to modify files.

Again, thank you so much!

[Arantor]

A *massive* amount of change is required to make SMF support SFTP. It's practically a rewrite of most of the package manager, a job that there are surprisingly few around here that are actually capable of, and of those few, none of them actually want to sit and rewrite the package manager to actually do it.

Interesting note: FTP is only used for elevating permissions. You can do that yourself via an SFTP client, run the update then put them back.

[Forumtastic]

Thank you for your response. I can totally understand the need for manpower that have certain technical expertise in specific areas on something that is free and volunteer - and those same people that are pulled in multiple directions.

FTP is also used to install some packages and for repairs. I don't usually need it. I can do most everything from an SSH command prompt.

I just thought I'd make the suggestion in case someone didn't. It would be a cool and more secure enhancement to an already awesome system.

[Arantor]

FTP is also used to install some packages and for repairs.

No, it isn't. Please believe me when I say I understand how the system works. I already dismantled it and rewrote it once.

All it actually does, in fact all the ftp_connection class is capable of doing, is changing permissions and deleting files and folders on the server. It has no upload capabilities, pretty sure it doesn't have download capabilities (thus no editing is actually possible because FTP doesn't support edit on the fly, neither does SFTP)

I know this because when I ripped SMF's package manager out for Wedge, I had to rewrite the FTP system to actually provide for uploads. Providing this functionality is of little real use to SMF, though, because Wedge plugins can't do file edits, meaning there's never a need to change file permissions. But file uploads actually via FTP are required in that situation, so I had to add the functionality for it - SMF doesn't itself do this, it elevates permissions and does conventional file writes, leaving file ownership in doubt especially on shared servers.

It has actually been suggested before, and shot down before for the same reason.

[emanuele]

Thanks for the suggestion.

I just thought I'd make the suggestion in case someone didn't.

This case is usually covered by a search: http://www.simplemachines.org/community/index.php?action=search2;search=sftp;brd=3

Curious that the search in this board brings the old topic and not the new one...

Anyway, "later" I'll merge the two topics in order to spread the discussion.

[Arantor]

But as indicated above this is a massive amount of work - and is vastly impractical to attempt to implement for 2.1. For 3.0 it should definitely be considered but that requires so much more change anyway, so moving this to closed for now.