Shell Server Turn Down

[ds_sonic_asif]

Code: Select all

% lftp -u username ftps://ftp.sonic.net
Password: 
lftp username@ftp.sonic.net:~> dir                
`ls' at 0 [Connecting...]

It just hangs there.

Try adding "debug 3" in ~/.lftprc and connect just using ftp://ftp.sonic.net.

I see the same hang here:
$ lftp -u ds_sonic_asif ftps://ftp.sonic.net
Password:
lftp ds_sonic_asif@ftp.sonic.net:~> dir
---- Connecting to ftp.sonic.net (69.12.210.156) port 990
`ls' at 0 [Connecting...]

[ds_sonic_asif]

I went to also go try this on the shell server, but it doesn't have lftp installed.

[kgc]

There's always been a lot of confusion between sftp, and ftp with implicit and explicit SSL. ftp.sonic.net supports Explicit SSL, which means it supports TLS-AUTH on port 21.

NOTE: FTP://ftp.sonic.net, not FTPS://ftp.sonic.net

Code: Select all

$ lftp ftp://X:Y@ftp.sonic.net
lftp X@ftp.sonic.net:~> ls
---- Connecting to ftp.sonic.net (69.12.210.156) port 21
<--- 220 ::ffff:69.12.210.156 FTP server ready
Certificate depth: 2; subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1; issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate depth: 1; subject: /C=US/O=Let's Encrypt/CN=R3; issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate depth: 0; subject: /CN=ftp.sonic.net; issuer: /C=US/O=Let's Encrypt/CN=R3
<--- 230 User X logged in
 

[pdonahue]

I really, really want to avoid sending a cleartext password. If I use a ftp:// URL then how do I know that it's using TLS? Is putting "set ftp:ssl-force true" in ~/.lftprc sufficient? (I can't find a definitive answer on the web.)

[ds_sonic_asif]

I really, really want to avoid sending a cleartext password. If I use a ftp:// URL then how do I know that it's using TLS? Is putting "set ftp:ssl-force true" in ~/.lftprc sufficient? (I can't find a definitive answer on the web.)

It looks to be doing the right thing. I had put the same force-ssl directive in my .lftprc and ran it under strace. Here are some interesting bits:

17:23:48 write(1, "cd `.' [FEAT negotiation...]", 28) = 28
17:23:48 write(1, "\r", 1) = 1
17:23:48 pselect6(5, [4], [], NULL, {tv_sec=0, tv_nsec=979852000}, NULL) = 1 (in [4], left {tv_sec=0, tv_nsec=887684053})
17:23:48 read(4, "220 ::ffff:69.12.210.156 FTP ser"..., 65536) = 43
17:23:48 read(4, 0x5c842e516d90, 65536) = -1 EAGAIN (Resource temporarily unavailable)
17:23:48 write(4, "FEAT\r\n", 6) = 6
17:23:48 pselect6(5, [4], [], NULL, {tv_sec=0, tv_nsec=705845000}, NULL) = 1 (in [4], left {tv_sec=0, tv_nsec=703201853})
17:23:48 read(4, "211-Features:\r\n AUTH TLS\r\n CCC\r\n"..., 65536) = 53
...
17:23:48 write(4, "AUTH TLS\r\n", 10) = 10
17:23:48 pselect6(5, [4], [], NULL, {tv_sec=0, tv_nsec=702022000}, NULL) = 1 (in [4], left {tv_sec=0, tv_nsec=699220006})
17:23:48 read(4, "234 AUTH TLS successful\r\n", 65536) = 25
...
17:23:48 access("/etc/ssl/certs/ca-certificates.crt", R_OK) = 0
17:23:48 newfstatat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", {st_mode=S_IFREG|0644, st_size=208567, ...}, 0) = 0
17:23:48 access("/etc/ssl/certs/ca-certificates.crt", R_OK) = 0
17:23:48 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 5
...

[ds_sonic_asif]

There's always been a lot of confusion between sftp, and ftp with implicit and explicit SSL. ftp.sonic.net supports Explicit SSL, which means it supports TLS-AUTH on port 21.

NOTE: FTP://ftp.sonic.net, not FTPS://ftp.sonic.net

Thank you.

[pdonahue]

Thanks! I'll make sure to migrate from scp to lftp before the deadline.

[patty1]

Thanks to Kelsey for providing information on the best way to connect to ftp.sonic.net.

As I mentioned earlier, I don't use shell access very often any more, but I did have some shortcuts in Fetch (the go-to FTP program for Mac users) that went to sh.sonic.net to access my home directory and my website, via SFTP on Port 22. When I tried switching those to ftp.sonic.net, I got the same "Connecting..." black hole that others have mentioned.

So I changed the connection method to FTP with TLS/SSL and the port to 21, and now I can connect to ftp.sonic.net just fine.

Kelsey, I hope the Sonic folks will have a little farewell party for your long-serving (even though it's gone through several incarnations) and much loved shell server!

[apl]

Very sad and a bit taken aback that this is happening.

I use the shell server every day, for a variety of reasons:
1) Editing files in my personal web space
2) Editing procmail files to better manage email
3) An always-available archive of 24 years of email (stored in mbox format)
4) And always-available archives of miscellaneous other stuff, mostly stored in plain text files

There are, as noted, other ways of handling all these use cases, but generally those other ways are worse in at least some way:
For 1 and 2, edit locally and then ftp
For email going forward, start keeping more email permanently on the imap server (a poor practice, IMO) sorted into folders there
For past email, maybe copy all the archives to my laptop and/or desktop
For other files, increase use of cloud services Apple notes (which I already use for things I want available from my phone), Office online, etc. (Or google docs, or evernote, etc.). Apparently you can also access an iCloud directory via the terminal, which may be another good solution for mac users.

As Dane notes, one can also allow remote login access to a personal server at home (he suggests linux, but anyone with a mac has this available already).
But it strikes me as a little odd to cite security concerns as a reason for shutting down the shell server, and in the next breath suggest users allow logins to their own machines from the public internet. I've been using various forms of unix for 35 years now, but have never been (or wanted to be) a professional sysadmin, and I am not sure I want to take that kind of risk of leaving holes in my firewall for script kiddies to pound at, especially in light of incidents like the recent "xz" exploit.
I will have to give that issue some more thought.

Anyway, beyond the loss of specific capabilities this change brings, I also agree with the previous poster who said it felt like this was the end of sonic as anything other than just another vendor of commodity bandwidth.

Oh well, so it goes.

[nbs]

Well, I copied my 25-years-worth of email onto my laptop and copied my `.mutt/muttrc` over from shell.sonic.net and tweaked it a little (Nano editor? LOL no. And had to add some SMTP lines). So I think I'll survive. It's going to take a while to get used to this, though.

One thing I had set up for all these years was for certain kinds of mailing list messages to get shunted off into various folders that I'd check when I had time; they were low priority, so didn't need to be right in my inbox. (For example, Linux User Group emails generally went into an `in-lugs` folder, but the LUG I helped run went into `in-lugod`. Mailman notifications went into `in-listadmin`, etc.) I'm frankly not sure how I'll end up dealing with this, but for now I've just moved my `.procmailrc` out of the way, so everything is going to land in my inbox, and I'll have to sort it out as it comes in.

This isn't ideal, so if anyone else has ideas or solutions, I'd love to hear it! Thanks.

And so long shell servers, and thanks for all the fish.