re: Ability to disable SFTP [Case 59374]
The only noticeable difference to most end-users between SFTP and Webdisk is just the interface they use. Both point to exactly the same space. However, WebDisk uses the DAV protocol whereas SFTP uses SSH. Retooling WebDisk to use a completely different protocol is far outside the existing discussion, so I can fork that off into its own feature request if you would like.Originally Posted by Mise
re: Ability to disable SFTP [Case 59374]
my users lacks of Shell access and they are able to download /etc/passwd through SFTP.
Please check this thread:
http://forums.cpanel.net/f185/users-...tp-247991.html
I'm seeing more people with the same problem:
http://forums.cpanel.net/f5/customer...er-206521.html
If this is not a misconfiguration in my server I think it's quite annoying...
re: Ability to disable SFTP [Case 59374]
+1 for jailed SFTP by default
re: Ability to disable SFTP [Case 59374]
Okay, seems there's a trend in this thread towards Jailed SFTP access instead of outright disabling it since Jailing will resolve the issues described in this thread.
Is that correct? Or is there a group of people that still want to just disable SFTP, even if it is jailed?
re: Ability to disable SFTP [Case 59374]
I wanted to mention that sFTP exists and works for non-shell accounts (those with /usr/local/cpanel/bin/noshell in /etc/passwd who did not have Shell access checked during WHM > Create a New Account setup).
I'm mentioning this as it appears some users might not be aware that a shell is not required (jailed or otherwise) for sFTP to function.
We added support for non shell accounts to use sFTP in internal case 11122
cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Forums Technical Analyst, cPanel Tech Support
Submit a ticket | Check an existing ticket
re: Ability to disable SFTP [Case 59374]
I discussed this with our Product Manager. Here's what we came up with, please confirm if you would like to have the below implemented or if it does not meet your needs before I file this feature request in 2 weeks:
Call for Comments
The ability for cPanel users, when logging in via SFTP, to browse above their directory is both undesired and unnecessary in contemporary cPanel&WHM hosting environments. To get around this, we should implement a chrooted environment.
Being mindful of the many servers still running CentOS 5, we cannot implement the chrooting abilities specific to CentOS/RHEL 6. However, we may be able to do this by using ProFTPd for SFTP as it has supported chrooting for a very long time and has already established a record of being compatible with cPanel&WHM environments.
Note, ProFTPd does not natively accommodate OpenSSH keys, often used on SSH. However, as documented on ProFTPD module mod_sftp these keys can be converted to a format compatible with ProFTPd. This is an understood limitation and is considered something that could be accommodated later as most SFTP users currently just use username/password authentication.
re: Ability to disable SFTP [Case 59374]
Would this method require use of ProFTPDd or would it only run additional to PureFTPd, but just for sftp, if Pure was the overall FTP server selection?
Tony Kammerer - Senior Admin, United Communications Ltd.
Proudly hosting over 50,000 customer websites since 1998!
Our lively customer community with over 70,000 posts!
re: Ability to disable SFTP [Case 59374]
We don't allow username/password authentication and converting keys to make the compatible with proftpd, when cPanel reccomends Pureftp for FTP, sounds more like a work around or patch than an actual solution !
re: Ability to disable SFTP [Case 59374]
It seems you correlate use of OpenSSH with "actual solution" - unfortunately, sysadmins (seemingly most) still use CentOS 5 and earlier which is a problem for us with regards to it using a version of OpenSSH that predates methods we are aware of for jailshelling users via OpenSSH. However, if you have some technical insight for overcoming that issue, it is welcomed.
re: Ability to disable SFTP [Case 59374]
I think it's better to be resolved only for CentOS/RHEL 6 in OpenSSH native method than switching to ProFTPD. We lived with this for years so we can wait few more untill we all switch to CentOS 6...
They could also get passwd file through php or perl script etc, so there is no real protection from such things on shared server.
re: Ability to disable SFTP [Case 59374]
Looking into this, this would require switching to ProFTPd, which is a sub-optimal solution for those looking to conserve resources.
re: Ability to disable SFTP [Case 59374]
We have CentOS 5 servers too but we see this need as an evolution and not stepping back.
I give our +1 for the CentOS 6 only solution. I do not vote for the CentOS 5 proftpd switch back workaround.
If this feature takes a year to be implemented all new servers will be CentOS 6 by then and I don't see the point of adding features to CentOS5 that won't necesseraly be a good solution for CentOS6.
Re: Ability to disable SFTP [Case 59374]
I have sent this call for comments into our developers, and the case number for this is noted in the title of this thread. I also emphasized that we should try to work to use CentOS 6's capabilities whenever possible to avoid unnecessary forcing the use of ProFTPd to use these capabilities.
LinkBack URL
About LinkBacks
Reply With Quote