#1 (permalink)  
Old 08-10-2009, 02:09 AM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Will SCP work if you don't allow SSH access?

I here that SCP uses SSH protocol, so I just want to make sure.

We no longer allow SSH access for our hosted members. Now some are looking for a different method of securely transferring files and they are not thrilled about having to use FTPS.

So, I take it that SCP is still functional and can be used by the vsite owners to transfer files around? Yes?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 08-10-2009, 11:38 AM
Registered User
 
Join Date: Aug 2009
Posts: 2
bpence is on a distinguished road
Will SCP work if you don't allow SSH access?

No.

SCP will not work without SSH access. SCP is like RCP over a channel secured by the SSH protocol. There *are* ways to leave SSH enabled, but disallow shell-level access while continuing to allow SFTP and SCP, but this requires a bit more configuration.

Brian Pence
SSH / Telnet Client for Windows XP, Vista, Mobile (and others)
AbsoluteTelnet SSH/SFTP client for windows
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 08-10-2009, 02:54 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Thanks Brian Pence. Can you please point us in the right direction for this, i.e. for disallowing shell but allowing SCP?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 08-10-2009, 06:31 PM
Infopro's Avatar
Forum Moderator
 
Join Date: May 2003
Location: Pennsylvania
Posts: 3,498
Infopro is on a distinguished road
Lightbulb

Quote:
Originally Posted by jols View Post
Thanks Brian Pence. Can you please point us in the right direction for this, i.e. for disallowing shell but allowing SCP?
SFTP is enabled for all users regardless of shell. All they need is the correct IP for it and port #

To find port #; cPanel > FTP accounts > find account username, to the right click, Configure FTP client.


Quote:
Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal. [1] For these reasons it is relatively simple to implement a GUI SFTP client compared with a GUI SCP client.
en.wikipedia.org/wiki/SSH_file_transfer_protocol
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 08-10-2009, 06:40 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Infopro, thanks for this. This is interesting however because earlier we could not get SFTP working with one of the accounts, only FTPS. Perhaps we needed to generate new ssh keys for this?

Thanks again, I'm a bit of a dummy when it comes to SFTP vs FTPS and the like.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 08-12-2009, 01:38 AM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Quote:
Originally Posted by Infopro View Post
SFTP is enabled for all users regardless of shell. All they need is the correct IP for it and port #

To find port #; cPanel > FTP accounts > find account username, to the right click, Configure FTP client
Thanks but I can't get this to work. When setting up sftp in FileZilla, at first I get the common warning prior to connecting, "The host key is unknown..." Then I clicked Always trust this host, and clicked OK. Then I get:


Command: Trust new Hostkey: Yes
Error: Disconnected: No supported authentication methods available
Error: Could not connect to server

I am using our SSH (alternate) port, but again, it seems that this will not work because we do not allow SSH access? What am I missing here? Does something in /etc/ssh/sshd_config need to be configured differently?


P.S. Yes, we do have this at the bottom of the sshd_config file:

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Last edited by jols; 08-12-2009 at 01:46 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 08-12-2009, 05:32 AM
Infopro's Avatar
Forum Moderator
 
Join Date: May 2003
Location: Pennsylvania
Posts: 3,498
Infopro is on a distinguished road
Lightbulb

Are you using the IP address used for SSH? I don't use FZ but you open the Site Manager and add the site there. Select server type > SFTP. Add the IP and port and you should be good to go.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 08-12-2009, 07:03 PM
Registered User
 
Join Date: Mar 2004
Posts: 625
jols is on a distinguished road
Quote:
Originally Posted by Infopro View Post
Are you using the IP address used for SSH? I don't use FZ but you open the Site Manager and add the site there. Select server type > SFTP. Add the IP and port and you should be good to go.
Yes, but no IP is used by our hosted customers for ssh access because we do not allow ssh access for our hosted customer, thus the problem.

I have come upon a solution for this by putting together a few different posts on this subject, the method goes like this:

---------------
To allow SFTP access but without shell access, you must first enable (jailed) shell via WHM. But then run the following so they do not have command line/shell access:

usermod -s /usr/local/cpanel/bin/noshell username

Of course, replace "username" with the actual account user name.

Then generate a key pair for the account in question:

cd /home/userid/.ssh

Run:
ssh-keygen
(Accept the default names, i.e. id_rsa)
Enter any passphrase and be sure to remember the passphrase used.

After this two files will be created:

id_rsa
***This is the private key.
id_rsa.pub
***This is the public key.

Now entering the following:

cat id_rsa.pub >> authorized_keys

The id_rsa file is the private key to be used with FileZilla:

Preferences ---> SFTP ---> add key file.

Then configure FileZilla with SFTP and port - (insert ssh access port here), the user ID but NO password.

Remove both files from the on-line account:
id_rsa.pub
id_rsa

Now SFTP transfers work.
---------------

A significant aspect of this is to switch on SSH access for the account, but remove their capability to reach the shell command line:

usermod -s /usr/local/cpanel/bin/noshell username

This part was derived from this post:
Strange SFTP problem...


This concludes about three days of research on this one. But if anyone has anything to offer in addition, I would certainly like to know more, Particularly with regard to potential security vulnerabilities that may arise from using this method.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 08-14-2009, 09:14 AM
Registered User
 
Join Date: Aug 2009
Posts: 2
bpence is on a distinguished road
Sorry I did not reply back sooner, but it seems you have found the solution yourself. You're right in that turning *OFF* SSH altogether not only disables shell access, but also scp and sftp as well. The trick is to leave SSH on, but disable access to the shell as you found.

Brian Pence


Celestial Software
AbsoluteTelnet SSH/SFTP client for windows
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Remote scp sent illegal error code" and slow SSH connection Brook cPanel and WHM Discussions 3 07-18-2009 09:22 PM
Allowing resellers access to Backup via SCP cresedo cPanel and WHM Discussions 16 08-14-2007 04:06 PM
Anyone got the SSH/Shell Access app to work? chrisjj cPanel and WHM Discussions 4 07-22-2006 07:46 PM
SSH Does not Work --How to fix?? wimp cPanel and WHM Discussions 3 05-23-2006 05:44 AM


All times are GMT -5. The time now is 02:34 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc