Some issues regarding SFTP

**Alrik** · 02-10-2010 05:08 PM

Hi there,

I've encoutered some issues when trying to use SFTP on a cPanel server.

Since FTP is an old and insecure protocol is would like to use SFTP.

The problem with SFTP is that an user can see system directorys and files when the user does an cd and ll or ls when in the root directory.
Shell acces is turned of for the users, so they can't do any shell commands.

I want to jail users who log on through sftp to their home directory.

Has anybody else encoutered the same problems and found a good way to solve this issue while keeping things integrated with cPanel?

I found some fixes on the net, but they involved adding users manualy to gain ftp access, i'm looking for a solution with integration in cPanel.

**vanessa** · 02-10-2010 05:33 PM

You might want to use FTP over Passive TLS instead of SFTP. That way you don't have to open port 22 or SSH access for your users, and their connections will still be secured via SSL certificate. You can set up an SSL in WHM > Service SSL Certificates

**Alrik** · 02-10-2010 05:39 PM

Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.

**cPanelDavidG** · 02-11-2010 02:04 PM

Originally Posted by Alrik

Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.

But wouldn't customers just use the same software they're using now for SFTP? Many FTP clients that support FTPS also support SFTP.

If you are concerned about spyware sniffing unencrypted traffic, you could use ProFTPd and configure it (via WHM) to only accept encrypted (FTPS) connections.

**sparek-3** · 02-11-2010 02:34 PM

I don't really see how FTP, SFTP, FTP over explict TLS, etc. really makes any difference in regards to these spyware/trojans/malware.

I am assuming users are storing their password in the FTP application's site manager. Which if that is the case, why does it matter how the password is passed to the FTP server? The compromise has already been made. The compromise is through the FTP application and storing the FTP password.

Maybe I'm missing something, but I've never really understood how passing the password in an encrypted manner is going to help with this.

If a user has a malicious piece of software running on their computer, they need to be taking steps to remove the software.

**vanessa** · 02-11-2010 03:06 PM

Securing FTP Access on a cPanel Server :: The cPanel Admin

**rackaid** · 02-11-2010 03:39 PM

Originally Posted by Alrik

Hi there,

The problem with SFTP is that an user can see system directorys and files when the user does an cd and ll or ls when in the root directory.
Shell acces is turned of for the users, so they can't do any shell commands.

I need to see if this will work in cPanel but on Plesk, I modify the shells permitted.

With SFTP, you can set up an SFTP only shell. While users can still browse around to other directories it does limit shell access.

Also will need to check the docs to see if the jail shell programs can be modified to work with SFTP.

**Alrik** · 02-11-2010 08:15 PM

Originally Posted by rackaid

I need to see if this will work in cPanel but on Plesk, I modify the shells permitted.

With SFTP, you can set up an SFTP only shell. While users can still browse around to other directories it does limit shell access.

Also will need to check the docs to see if the jail shell programs can be modified to work with SFTP.

The only problem right now is showing all directories, users can't execute shell commands.
SFTP would be perfect if an user only could see their home dir and nothing else.

@everybody pointing out the malware issue:
Yeah, if an users sw is compromised it does not really matter wich protocol is used. On the other hand, if only the data transmited is sniffed, then a secure protocol would improve security a lot. Let's say it would be a improvement in security not a complete solution.

**EWD** · 02-23-2010 07:44 PM

Originally Posted by Alrik

The only problem right now is showing all directories, users can't execute shell commands.
SFTP would be perfect if an user only could see their home dir and nothing else.

@everybody pointing out the malware issue:
Yeah, if an users sw is compromised it does not really matter wich protocol is used. On the other hand, if only the data transmited is sniffed, then a secure protocol would improve security a lot. Let's say it would be a improvement in security not a complete solution.

I have complained about this and it seems no one at cpanel seems to think it is an issue.

**tylerl** · 02-24-2010 06:09 PM

Originally Posted by Alrik

Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.

Check out rssh. It has exactly what you need. It's a jailed shell that you can configure to support only SCP/SFTP (and a few others like rsync if you want) as well as create a chroot jail.

Some assembly required.

LinkBack

Thread Tools

Some issues regarding SFTP

rssh

SFTP Logging

Can I allow SFTP without Shell?

JailShell for SFTP?

Sftp

FTP vs SFTP