Filed with Developers [Case 46939] SFTP access for virtual FTP users

[forlinuxsupport]

Virtual FTP users are NOT able to use SFTP, only the main account/domain user can.


Please all this to work, as its much more secure and allows us to then disable FTP all together.

Regards
Andy


P.s.

From Cpanel :
An SFTP subsystem for virtual ftp users would require quite a bit of work due to the nature of SFTP. We wrap around the SFTP subsystem that comes with OpenSSH and the big drawback to this is that it requires a valid shell in order to work properly.

For situations where encryption is needed, FTPs is a good alternative to use with virtual FTP users as they don't need to have a valid shell and all authentication/transfers occur on an encrypted fashion.

However if SFTP for virtual users is something you'd like to see in our product, I'd suggest submitting this via our Features Request forums.

[cPanelDavidG]

In the interim, you may want to consider using ProFTPd and then going to FTP Server Configuration and requiring TLS encryption. This will allow your virtual FTP users to login via FTPS (FTP over TLS) and disallow insecure plain-text logins.

[dwykofka]

I think we need to start phasing FTP out and start to focus on really forcing users to utilize SFTP as a proper alternative.

What I think we need is a solution that allows subusers from the FTP setup page to connect via sftp. Then we need a Check box in the S/FTP account page that allows accounts to use old/insecure ftp. Then we need a way to mass default that to off for all accounts so that we can stage a mass migration to sftp after a lot of emails to our user base. This way they can switch back but they will have been warned and will be knowingly setting an account back to an insecure protocol on their own. It would also be nice to get some type of status page in cpanel that tells us stuff about accounts like the fact that they are using FTP instead of SFTP.

Let's see if we get any traction with this one.

[cPanelDavidG]

I think we need to start phasing FTP out and start to focus on really forcing users to utilize SFTP as a proper alternative.

What I think we need is a solution that allows subusers from the FTP setup page to connect via sftp. Then we need a Check box in the S/FTP account page that allows accounts to use old/insecure ftp. Then we need a way to mass default that to off for all accounts so that we can stage a mass migration to sftp after a lot of emails to our user base. This way they can switch back but they will have been warned and will be knowingly setting an account back to an insecure protocol on their own. It would also be nice to get some type of status page in cpanel that tells us stuff about accounts like the fact that they are using FTP instead of SFTP.

Let's see if we get any traction with this one.

Currently, FTPS (both implicit and explicit) are supported for all subusers and SFTP is only supported for the cPanel user.

With the FTP configuration screen, you can even require encrypted FTP (FTPS) and thus reject plain-text FTP. With ProFTPd, you can require that not just usernames, passwords and commands be encrypted but the data be transferred in an encrypted fashion as well.

Is there any particular reason you want FTP subusers to use SFTP (SSH File Transfer Protocol) rather than FTPS (FTP over TLS)? Aside from that, the only major difference I see from what we currently support is the ability to disable plain-text communications on a per-user basis.

[dwykofka]

FTPS is a mess from a standards point of view.
SFTP is newer and much better defined.

I'm a fan of sftp I guess

[cPanelDavidG]

I've merged this feature request with the existing request for SFTP support for virtual (additional) FTP users.

[dwykofka]

How about a separate sftp deamon that isn't reliant on the current system?

[wkdwich]

Currently, FTPS (both implicit and explicit) are supported for all subusers and SFTP is only supported for the cPanel user.

With the FTP configuration screen, you can even require encrypted FTP (FTPS) and thus reject plain-text FTP. With ProFTPd, you can require that not just usernames, passwords and commands be encrypted but the data be transferred in an encrypted fashion as well.

David, I currently have FTP turned off completely, and checked by cron hourly due to sever hacking quite some time ago, I am pleased with the security level this brings, but I have one hosted client who has a word press that requires FTP or FTPS to auto update - it will not work with SFTP. Do you know if there is a way to allow ONLY this one user to use FTPS?

[cPanelDavidG]

David, I currently have FTP turned off completely, and checked by cron hourly due to sever hacking quite some time ago, I am pleased with the security level this brings, but I have one hosted client who has a word press that requires FTP or FTPS to auto update - it will not work with SFTP. Do you know if there is a way to allow ONLY this one user to use FTPS?

Actually, WordPress relies on requiring FTP as a fallback mechanism. Do you happen to have SuPHP on your server? If not, enabling SuPHP would likely appease WordPress such that it would no longer require FTP access for auto update.

Note for others that may come across this thread: WordPress' built-in automatic updates are fully disabled if WordPress is installed and upgraded via cPAddons.

[wkdwich]

David, thanks for the reply, SuPHP is not really an option right now, as I am being told it will break some of the other apps running on the server. I really was hoping to find a means to turn on FTP, allow only specific users to be allowed to use FTPS only.

[cPanelDavidG]

David, thanks for the reply, SuPHP is not really an option right now, as I am being told it will break some of the other apps running on the server. I really was hoping to find a means to turn on FTP, allow only specific users to be allowed to use FTPS only.

You may want to re-investigate scripts that are incompatible with SuPHP. Over a year ago, cPanel/WHM moved to using SuPHP by default on new installs and it's been a couple of years since I heard of hosting providers encountering contemporary scripts that were incompatible with SuPHP. Even most contemporary blog/CMS plugins accommodate SuPHP well.

[wkdwich]

You may want to re-investigate scripts that are incompatible with SuPHP. Over a year ago, cPanel/WHM moved to using SuPHP by default on new installs and it's been a couple of years since I heard of hosting providers encountering contemporary scripts that were incompatible with SuPHP. Even most contemporary blog/CMS plugins accommodate SuPHP well.

aw crap apparently I posted this long winded thing last night and didn't notice it didn't post until this morning.. ok here we go again..

I re-read some of what you posted earlier

With the FTP configuration screen, you can even require encrypted FTP (FTPS) and thus reject plain-text FTP. With ProFTPd, you can require that not just usernames, passwords and commands be encrypted but the data be transferred in an encrypted fashion as well.

So I went in and set Pure-FTP ON and set:
TLS Encryption Support: Required (command)
TLS Cipher Suite: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Anonymous login & upload: NO
Broken Clients Compatibility: NO

I tested by using wsFTPpro - I did not alter any settings other than change the connection method, in otherwords I didn't change the port
normal FTP would not connect
FTPS/Implicit SSL would not connect
FTP/SSL AUTH DID connect

Is this correct? I think it is possible at one point I might have set port 990 closed, I will have to check that. Change I change the required port number?

Since I am usually the only one who FTPs to the server, can I safely reduce the MAX connections (50) and MAX connection by IP (8) to something like (10) and (4) ?

Do you think this set up is safe enough to keep the hackers out?

How can I get email or txt notification of a FTP connection?

OK I think thats all I said last night

[cPanelDon]

I tested by using wsFTPpro - I did not alter any settings other than change the connection method, in otherwords I didn't change the port
normal FTP would not connect
FTPS/Implicit SSL would not connect
FTP/SSL AUTH DID connect

Is this correct? I think it is possible at one point I might have set port 990 closed, I will have to check that. Change I change the required port number?

It is correct that when encryption is required by the FTP server that you may need to use FTPS/FTPES over Explicit TLS/SSL and not Implicit TLS/SSL. For more verbose information about the complexities involved please see the following post: cPanel Forums - View Single Post - Implicit FTPS versus Explicit FTPS/FTPES

Since I am usually the only one who FTPs to the server, can I safely reduce the MAX connections (50) and MAX connection by IP (8) to something like (10) and (4) ?

I would not significantly reduce the default limit. Reducing it too much might inadvertently interfere with FTP client software that can take advantage of more connections to perform multiple simultaneous transfers.

Do you think this set up is safe enough to keep the hackers out?

How can I get email or txt notification of a FTP connection?

To help keep the feature request on-topic, I recommend posting these two questions in the following forums area that is dedicated to discussions about security and best practices for system configuration hardening: cPanel and WHM Security - cPanel Forums

[cPanelDavidG]

Call for Comments

This feature is something that could become a very reasonable item to implement (from a developer's standpoint) once we get Plugable Authentication. That, and I agree with above comments, FTPS starts showing its customer service issues once you start dealing with people that are using FTP for the first time. Just telling people to use SFTP is so much easier from a customer service perspective because you know it will work, your customers are happy it works and the sysadmins are happy everything is encrypted.

Would it be accurate to say this entire thread can be summed simply as: Virtual FTP User credentials that work for FTP and FTPS should also work for SFTP?

[Tech]

David, I think your summing up seems pretty accurate, and we'd also like to see this implemented when possible.