50 comments

[ 0.28 ms ] story [ 124 ms ] thread
brew install lftp

ncftp is also a good choice; i can't speak for anything else as I haven't used them.

Have you tested this on High Sierra? If it is a "more secure" operating system like the link mentions, I was under the impression programs like these would be blocked on the system level.
I appreciate you're being catty, but the idea is to not have it installed by default where persons who aren't aware of it (majority of Mac users) may be affected by whatever concern they have. Users who want or need FTP are likely capable of finding any number of ways of bring it back to their system.
My question wasn't entirely snark. I was genuinely curious if Apple has made it harder to install insecure programs like that. Otherwise, the move just doesn't seem very effective to me.
Its the system's job to be secure by default, its not its job to break aribtrary user installed applications the system decides might be insecure. How would it decide that anyway?
Anything that uses clear-text passwords has been removed. That is a very clear red-line. Also, anything that uses weak encryption, like P2PTP has also been removed, but a few versions ago. And the ssh defaults are tightened up almost every point release. As soon as a cipher becomes known as "weak", Apple pulls it.
And yet we still get a 11 year old version of Bash. :-)
Of course, but th We are all system components. The comment was referring to user installed applications and preventing no that if they are insecure. How is the system supposed to know that a user installed application uses clear text passwords?
The terminal application still includes ftp as an option in the "New Remote Connection" dialog, but attempting to use it pops up a dead terminal window with a "Command not found" error. Whoever decided to remove the command-line ftp program didn't to a good job of cleaning up after themselves.
if yubinstall ftp using homebrew does the dialog start working?
iOS has a bug like this where Game Center has a Facebook share link that relies on the now-removed system Facebook login
Apple engineers often make technical decisions that affect developers but go unreported for various reasons. This seems like a classic example. When I worked at Apple, some of us had a saying: "Apple knows what its users need and we give it to them -- good and hard."
Yeah, the problem with High Sierra is that Apple forgot the “good”.
I'm with Apple on this, though obviously the decision wasn't communicated in s transparent fashion

Haven't touched the ftp cmd line in 15 years, there are much better (and safer) alternatives

If you need ftp you should be smart enough to install it from home brew or macports. Sloppy not removing it from the GUI however.
Why ship Terminal by default, then?

The vast majority of MacOS users will never launch it.

I really hope you are not being serious.

Well I cannot install the terminal without the terminal. :) brew install terminal hum...

The fact of the matter is that FTP is pretty much a no-op for 99.9% of the MacOS using public. Apple has to maintain, test, etc. everything they ship (I hope..).

Now given that a Mac is pretty much the default laptop here in the valley for SW dev, I would say unlike FTP, the terminal gets used.

Removing stuff that is not used by most of the users only makes sense. As long as they do not stop a power user from installing what they want all is good.

(comment deleted)
High Sierra has also removed telnet which is useful not for unencrypted access to remote shells, but for quick testing of TCP port availability at remote end. Yes. There’s nc to do the same thing, but then there is also muscle-memory built since the mid 90ies

On the other hand, I get where Apple is coming from: those two tools are decades old and pretty much unmaintained. By not shipping them by default, they can reduce the attack surface (code not shipped won’t have vulnerabilities)

If you need command line FTP and telnet access, you can of course use homebrew to get them back.

You technically don't even need any external commands to check if a remote port it open since bash itself can open raw tcp/udp connections.

    $ timeout 5 bash -c 'cat </dev/null >/dev/tcp/google.com/80' && echo "Open" || echo "Closed"
You technically don't even need any external commands to check if a remote port it open since bash itself can open raw tcp/udp connections.

    $ timeout 5 bash -c 'cat </dev/null >/dev/tcp/google.com/80' && echo "Open" || echo "Closed"
It does include netcat (nc) though, which can be used for testing ports, among other things.
ln -s /usr/bin/nc /yourpath/bin/telnet

The command-line options are the same.

Don't do this. Contrary to popular belief, telnet is a protocol beyond simply opening a bidirectional pipe over a socket. There are negotiation steps and the like.

Just install telnet if you need it. It's not like Apple actually wrote these apps anyway. Install them trivially with brew, telnet, ftp, whatever old garbage you need.

Funny thing is I just BARELY needed to install telnet. Well, "needed." I wanted to relive some old BBS memories.

Given that FTP is insecure, and we've had SFTP as a replacement since 1999, I honestly don't see anything wrong here.

What's really a shame, is that so many providers still only support FTP.

We only very recently turned off ftp support for Linux kernel mirrors - a red letter day, to be sure
that’s a narrow view. Maybe I need to debug an old server on the intranet? Maybe some provider only allows FTP downloads with checksums via HTTPS?

Protocols should become useless before dropping the client from standard distributions.

If you have ssh access, you have sftp access. If your company still uses rlogin and ftp, then get a new job before they get hacked and blame whoever touched the server last.
I use a petaflop system everyday to run computational simulations. The tape system is accessed via rcp because it's connected via intranet to the login nodes. I'm not saying ftp over the internet has valid uses, it probably doesn't, but if it's in a controlled environment, why not?

What's next, is mac going to obsolete telnet? There goes a host of quick tests you can utilize on a home network.

telnet doesn't exist on my Mac (High Sierra). It also doesn't exist on my linux server (Debian 9).

Easily fixable with `brew install telnet` and `sudo apt install telnet`.

Nitpick: By telnet, you probably mean ncat. I don't think there's anything on a contemporary home network that speaks RFC 854.
That's not true - both sftp and scp require server-side support. You can have ssh, but without sftp or scp. OpenWRT ships in this config by default, for example (https://wiki.openwrt.org/doc/howto/sftp.server).

The only thing that would work in this situation is FISH.

I know, right? I can't believe they dropped rlogin, too!

Yes, I'm being snarky. Dropping it from the standard distribution is a good kick in the butt for anyone backward enough to still rely on plain old ftp in this day and age. Remember passive mode? Remember ascii mode? Oy. Good riddance. Even "telnet" isn't in some base linux systems.

Also it's one "brew install lftp" away for anyone who is really can't get around using it.

Protocols should become useless before dropping the client from standard distributions.

This statement is identical to "All operating-system developers must support every protocol ever developed, until the heat death of the universe".

I am not exaggerating. No matter the protocol, no matter how obscure it is, somewhere there is at least one person whose workflow is dependent on it and who will complain that it is, as a result, not "useless" and must be supported out-of-the-box by their operating system.

Those people can learn to install a client. If any of them happen to be the only user in the world of a given protocol and be doing it solely on machines to which they have no write access, well, they painted themselves into the corner and now can deal with the consequences of it.

They aren’t identical statements. FTP is commonplace enough and suddenly dropped. Not so for other more obscure protocols where we expect to install specific software eg TFTP for PXE boot.
> Maybe some provider only allows FTP downloads with checksums via HTTPS?

    curl -O -u user:password ftp://whatever.site.com/filename
Curl comes with MacOS and still supports ftp, even if they removed the ftp executable.

    brew install lftp
Also in the support thread someone complained that they changed order of path so that usr/local/bin/ have priority over usr/bin/.

But I’m not sure it’s that bad. Because this way Apple kind of acknowledge that if someone install something in local they must now what they are doing and this because default for users path.

I much prefer the local priority and will always reorder paths that way on a new machine.
tnftp does HTTP and HTTPS. the command name is a misnomer.
There is nothing insecure in a protocol by itself. In this case, since it lacks encryption, it shouldn't be used over insecure networks such as the Internet on its own. But it's by no means the only way it's being used. There is a place for FTP, Telnet, TFTP and many other basic protocols - it all depends on how you use them. The only thing that Apple gained by this is that people will use third-party FTP clients (which might be good given Apple's recent lack of focus on security anyway.)
(comment deleted)
High Sierra - too secure for FTP, not secure enough to not allow root login with a blank password
In the old days, people complained when Microsoft added a program to their OS, because it competed with third parties.

Nowadays, people complain when Apple removes a program from their OS, even when there are plenty of third party options...

Why Apple doesn't release comprehensive release notes about this kind of system-level changes? (Or maybe I've just missed them?) Why surprise the users after they've upgraded?
Which do you think is the more common scenario:

- Being hacked by sending a mom-and-pop website password in clear text

- Typing ftp twice at the command line, only to realize you need to install brew and then ftp (or FileZilla, Cyberduck) on a foreign Mac