How cPanel handles FTP authentication

[jez9999]

Ever wondered how cPanel deals with FTP authentication? I did, and as cPanel themselves don't seem to want to say much about it, here's a bit of an explanation.

The system seems to have been designed primarily with ProFTPD in mind. When set to use ProFTPD, the daemon uses the shadow passwd file located at /etc/proftpd/passwd.vhosts to decide upon user authentication.

More interesting is what it does when you set it to use the PureFTP daemon. cPanel continues to basically use the ProFTPD shadow passwd file model, to the extent that it still uses the files in /etc/proftpd/ for authentication. It uses a feature of PureFTPd that allows a custom authentication script to be run every time a user attempts to login to FTP. This script is located at /usr/sbin/pureauth and is a Perl script, presumably written by cPanel themselves. Unfortunately, this authentication method seems to be specified on the commandline by cPanel each time the FTP daemon is started, so it's not possible to enable other auth methods (like mySQL, traditional Unix passwd, etc) on top of the cPanel authentication.

The script is basically a wrapper, allowing the shadow passwd files in /etc/proftpd/ to be used in the same way as ProFTPD for authentication, so cPanel can continue to update these files in the same way no matter which FTPD you're using, and switch between the two easily. The script will check the IP the user connected to and try to match it up to a domain using the file /etc/domainips. It will then check whether the username is in the form user@domain, and if it is, uses the domain part as the assumed domain and ignores what it found in /etc/domainips. It then looks up the owner of that domain, according to what the admin has entered in cPanel, using the file /etc/userdomains. Assuming it has found a user, it then checks the supplied password against one of the shadow passwd files. If the username was not in the form user@domain AND the IP connected to was not the 'main' server IP (the first non-local IP in the list supplied by /sbin/ifconfig -a)(which implies that it is the 'main shared IP' for use with name-based hosting), it will check the /etc/proftpd/username file, where username is the username supplied for FTP login. Otherwise it checks /etc/proftpd/passwd.vhosts. It will try to check the supplied password against its crypt()ed version and its MD5 crypt()ed version. If this fails, it will always then check the password against the /etc/proftpd/passwd.vhosts file.

The script then returns the authentication information (success/fail, UID, GID, root dir) to the PureFTP daemon.

Just thought I'd share the result of this research with you. Unfortunately, it means I'm not easily able to do what I wanted to do (FTP in as root), as PureFTPD will not let a custom authentication script successfully authenticate the root user. No, I'm not mad, I just find it easier to edit files by downloading, editing, then uploading then than messing around with Unix commandline editors. Seems the only way to do what I want is just to start another instance of the FTP daemon, listening on a seperate port and using traditional Unix (/etc/passwd) authentication. For some reason, it then does allow you to FTP as root!

[chirpy]

(FTP in as root)

Which is one thing you should never ever do as it's usually trivial for a hacker to snag your root password as it's sent in the clear. If you need FTP under root you should be using SFTP through SSH.

[mikesouth]

you might try this

there is nothing significant about the login root...except the userid (0) edit your shadow password file and add a user with a userid 0f 0

that might work

[jez9999]

Which is one thing you should never ever do as it's usually trivial for a hacker to snag your root password as it's sent in the clear. If you need FTP under root you should be using SFTP through SSH.

Right. Unfortunately, it's still pretty rare to see SFTP used... does cPanel support this or would I need to install support manually? Also, I bet my current FTP client doesn't support SFTP. Ah well.

[jez9999]

Update: I just found out that cPanel implements its SSH access via OpenSSH, which also coincidentally happens to implement the 'SFTP using SSH2' protocol which is a very nice, secure, FTP replacement. I'm using FileZilla to login as root now via this protocol, and it's working fine. Thanks for the advice, chirpy. I guess my advice is to use SFTP, especially when FTPing as root.

[webignition]

Update: I just found out that cPanel implements its SSH access via OpenSSH, which also coincidentally happens to implement the 'SFTP using SSH2' protocol which is a very nice, secure, FTP replacement. I'm using FileZilla to login as root now via this protocol, and it's working fine. Thanks for the advice, chirpy. I guess my advice is to use SFTP, especially when FTPing as root.

In the course of general server management, I use winSCP to transfer files to and fro as this an excellent SFTP client.

On top of this, the more modern versions of Dreamweaver let you connect via SFTP, which is kinda nice if you feel like fiddling around with the contents of /usr/local/apache/htdocs.

[chirpy]

you might try this

there is nothing significant about the login root...except the userid (0) edit your shadow password file and add a user with a userid 0f 0

That is generally regarded as an exceptionally bad thing to do. You should only ever have one account with the userid of 0 and you should never ever use FTP to access it.