Using ftp

I have an application that was using sftp via the Putty tools to update a web server. This allowed the program to create psftp commands and execute them.

The server has been changed, and now uses plain ftp. Looking at !ftpc, the method using that uses Wimp messages, and completely different program flow.

I am hoping there is a way for my program instead to create and execute plain ftp commands, so the structure remains the same. Can anyone help please?

Get them to set the server up properly with sftp, plain ftp should not be used on anything internet facing these days.

Get them to set the server up properly with sftp, plain ftp should not be used on anything internet facing these days.

While I agree with the sentiment, I don’t have any control over the server.

What caused the change to a server with an insecure protocol?

If you have changed hosting provider, you need to change again!

I don’t have any control over the server.

If you’re paying, send them a message saying you demand SFTP, and ask why they have chosen, in 2024, to step backwards two decades to use an insecure protocol which requires you to transmit your login details in the clear.
Who is the host?

plain ftp should not be used on anything internet facing these days.

Exactly. I use plain FTP here between my phones and RISC OS (etc) setting up the server on demand (it is built into ES File Explorer), but having FTP on the internet as a way to update your site is…dumb. Really dumb.

I mean, even RISC OS can do SFTP so there’s no excuse.

you need to change again!

If you don’t get a satisfactory response, then this.

Who is the host?

Name and shame.

If you’re paying, send them a message saying you demand SFTP, and ask why they have chosen, in 2024, to step backwards two decades to use an insecure protocol which requires you to transmit your login details in the clear.

My recent experience (n=4) is that hosts are generally expecting users to be using file transfer over SSH if they want secure, and so are dropping FTP entirely or leaving the insecure one for those who can’t do SSH. Certainly in the Linux world, people seemed to move straight from insecure FTP and tools like Sitecopy, to rsync over SSH – ignoring secure FTP completely. Even Windows users can get in on that action with Putty.

Or, in other words, the hosts may have recognised that in 2024 most people use SSH, a handful still use plain FTP despite warnings against it, and no-one uses secure FTP. So dropping secure FTP hurts no-one and removes an attack vector.

I’ve been using rsync over SSH for a while now as it’s much easier to use than FTP, but I suspect that it’s another thing that RISC OS can’t do.

Or, in other words, the hosts may have recognised that in 2024 most people use SSH, a handful still use plain FTP despite warnings against it, and no-one uses secure FTP.

FTPS or SFTP? They are rather different but, from recent work conversations with suppliers, often confused.

FTPS, is PITA with the extra ports and SFTP is basically SSH with FTP capabilities added. There’s plenty of info out and about

Even Windows users can get in on that action with Putty.

FileZilla. Pointy clicky solution, very regular updates that the application checks for at every runtime. Almost idiot-proof. Pretty GUI based familiarity for the average user.

Or, in other words, the hosts may have recognised that in 2024 most people use SSH, a handful still use plain FTP despite warnings against it, and no-one uses secure FTP. So dropping secure FTP hurts no-one and removes an attack vector.

Since both SFTP and SSH use port 22 the attack vector is rather similar, if not the same.

Or, in other words, the hosts may have recognised that in 2024 most people use SSH, a handful still use plain FTP despite warnings against it, and no-one uses secure FTP. So dropping secure FTP hurts no-one and removes an attack vector.

Nevertheless, I still need to be able to update this website, during an event that’s only 4 weeks away from the end of my holiday – a holiday when I’m away from RISC OS computers. Doing a major rewrite in that timescale is too risky to contemplate.
Plan A – find out whether the site also has SFTP. I’ve asked our site contact to find out.
Plan B – find a piece of software that will allow me to replace the SFTP used by PuttyTools with a similar command line.
Plan C – move the system being updated to my personal space, on Orpheus. That may raise questions about publishing the data on essentially a private space.
Plan D – abandon updating the site, and revert to using a local access point and Webjames. That has proved problematic in the past, mostly because we are operating on the first floor of a building, and wherever we locate the access point, significant parts of the site don’t get a signal, because the building is in the way.

Just to add to the problem is that I’ve now been told that the provider is likely to move the service to a different hosting site in the near future, so the access may change again. Plan C is looking good ATM.

For some years now I’ve been using FTPc (http://www.ftpc.iconbar.com) with AcornSSL to do my site updates. I get confused between sftp and ftps; FTPc’s docs say it uses ftps. I think ftps is more common and more “respectable”, but I may of course be mistaken!

Have you tried it? Would it help you?

As for ftps vs. sfpt I asked Dr. Google and found this one: https://www.spiceworks.com/tech/networking/articles/sftp-vs-ftps/
Simple: sftp is ftp over an SSH link whereas ftsp is similar to https an ftp that uses TLS

The most important difference, especially when you’re dealing with firewalls, is that SFTP uses one single port (port 22) and FTPS uses multiple ports – sort of referenced in the spiceworks article without detail. see https://www.cerberusftp.com/blog/ftp-and-ftps-ports/

Comparison.
https://www.cerberusftp.com/blog/ftps-vs-sftp-understanding-the-difference/

Unless you’re concerned about needing to shift large volumes of data – use SFTP.

I use FTPc version 1.55 and this seems to work OK. Don’t know whether it uses Acorn SSL. It offers Explicit TLS which it calls ‘standard ftps mode’ (whatever that is, it requires R-Comp’s secure sockets module) but I just use normal ftp.

I am hoping there is a way for my program instead to create and execute plain ftp commands, so the structure remains the same. Can anyone help please?

You can use curl instead. It support ftps, tls, etc.

To download a file,

curl -u <userid>:<password> --ssl-reqd ftp://example.com/example.txt -O

To upload a file,

curl -T example.txt -u <userid>:<password> --ssl-reqd ftp://example.com/uploads/

Similar for sftp,

curl -u <userid>:<password> sftp://example.com/home/example/example.txt -O

curl -T example.txt -u <userid>:<password> sftp://example.com/home/example/uploads/