Will SCP work if you don't allow SSH access?

[jols]

I here that SCP uses SSH protocol, so I just want to make sure.

We no longer allow SSH access for our hosted members. Now some are looking for a different method of securely transferring files and they are not thrilled about having to use FTPS.

So, I take it that SCP is still functional and can be used by the vsite owners to transfer files around? Yes?

[bpence]

No.

SCP will not work without SSH access. SCP is like RCP over a channel secured by the SSH protocol. There *are* ways to leave SSH enabled, but disallow shell-level access while continuing to allow SFTP and SCP, but this requires a bit more configuration.

Brian Pence
SSH / Telnet Client for Windows XP, Vista, Mobile (and others)
AbsoluteTelnet SSH/SFTP client for windows

[jols]

Thanks Brian Pence. Can you please point us in the right direction for this, i.e. for disallowing shell but allowing SCP?

[Infopro]

Quote:

Originally Posted by jols

Thanks Brian Pence. Can you please point us in the right direction for this, i.e. for disallowing shell but allowing SCP?

SFTP is enabled for all users regardless of shell. All they need is the correct IP for it and port #

To find port #; cPanel > FTP accounts > find account username, to the right click, Configure FTP client.

Quote:

Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal. [1] For these reasons it is relatively simple to implement a GUI SFTP client compared with a GUI SCP client.

en.wikipedia.org/wiki/SSH_file_transfer_protocol

[jols]

Infopro, thanks for this. This is interesting however because earlier we could not get SFTP working with one of the accounts, only FTPS. Perhaps we needed to generate new ssh keys for this?

Thanks again, I'm a bit of a dummy when it comes to SFTP vs FTPS and the like.

[jols]

Quote:

Originally Posted by Infopro

SFTP is enabled for all users regardless of shell. All they need is the correct IP for it and port #

To find port #; cPanel > FTP accounts > find account username, to the right click, Configure FTP client

Thanks but I can't get this to work. When setting up sftp in FileZilla, at first I get the common warning prior to connecting, "The host key is unknown..." Then I clicked Always trust this host, and clicked OK. Then I get:


Command: Trust new Hostkey: Yes
Error: Disconnected: No supported authentication methods available
Error: Could not connect to server

I am using our SSH (alternate) port, but again, it seems that this will not work because we do not allow SSH access? What am I missing here? Does something in /etc/ssh/sshd_config need to be configured differently?


P.S. Yes, we do have this at the bottom of the sshd_config file:

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

[Infopro]

Are you using the IP address used for SSH? I don't use FZ but you open the Site Manager and add the site there. Select server type > SFTP. Add the IP and port and you should be good to go.

[jols]

Quote:

Originally Posted by Infopro

Are you using the IP address used for SSH? I don't use FZ but you open the Site Manager and add the site there. Select server type > SFTP. Add the IP and port and you should be good to go.

Yes, but no IP is used by our hosted customers for ssh access because we do not allow ssh access for our hosted customer, thus the problem.

I have come upon a solution for this by putting together a few different posts on this subject, the method goes like this:

---------------
To allow SFTP access but without shell access, you must first enable (jailed) shell via WHM. But then run the following so they do not have command line/shell access:

usermod -s /usr/local/cpanel/bin/noshell username

Of course, replace "username" with the actual account user name.

Then generate a key pair for the account in question:

cd /home/userid/.ssh

Run:
ssh-keygen
(Accept the default names, i.e. id_rsa)
Enter any passphrase and be sure to remember the passphrase used.

After this two files will be created:

id_rsa
***This is the private key.
id_rsa.pub
***This is the public key.

Now entering the following:

cat id_rsa.pub >> authorized_keys

The id_rsa file is the private key to be used with FileZilla:

Preferences ---> SFTP ---> add key file.

Then configure FileZilla with SFTP and port - (insert ssh access port here), the user ID but NO password.

Remove both files from the on-line account:
id_rsa.pub
id_rsa

Now SFTP transfers work.
---------------

A significant aspect of this is to switch on SSH access for the account, but remove their capability to reach the shell command line:

usermod -s /usr/local/cpanel/bin/noshell username

This part was derived from this post:
Strange SFTP problem...


This concludes about three days of research on this one. But if anyone has anything to offer in addition, I would certainly like to know more, Particularly with regard to potential security vulnerabilities that may arise from using this method.

[bpence]

Sorry I did not reply back sooner, but it seems you have found the solution yourself. You're right in that turning *OFF* SSH altogether not only disables shell access, but also scp and sftp as well. The trick is to leave SSH on, but disable access to the shell as you found.

Brian Pence


Celestial Software
AbsoluteTelnet SSH/SFTP client for windows