danielk

Registered
Dec 24, 2009
4
0
51
I am creating FTP users throuh WHM/cpanel where I did not find any option to enable shell access. When I create a user I can able to access only the regular FTP using port 21


Please advice.

Thanks
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
If you want to enable SSH for a domain you can do that by modifying the account under "Modify an account" feature under "Account Functions".

The same can also be enabled while you are creating a new account.
 

danielk

Registered
Dec 24, 2009
4
0
51
I have enabled the shell acces to the domain by modifying the account but my intention is to have secure access to the FTP users who are accessing the domain.

I have cread few FTP users to respective home directories through the cpanel of the domain. But I am only able to access Normal FTP on port 21 which doesn't encrypt the information. I need some kind of Secure acecss like SFTP or FTPS to the FTP users.

Please advice.
 

equens

Well-Known Member
Feb 8, 2002
283
5
318
Hello Gvard, can you explain me how can I allow sftp access to users who don't have SSH access enabled?

Thanks a lot.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I have enabled the shell acces to the domain by modifying the account but my intention is to have secure access to the FTP users who are accessing the domain.

I have cread few FTP users to respective home directories through the cpanel of the domain. But I am only able to access Normal FTP on port 21 which doesn't encrypt the information. I need some kind of Secure acecss like SFTP or FTPS to the FTP users.

Please advice.
For add-on FTP users you may connect securely using FTPES, that is, FTP with Explicit SSL/TLS encryption; the same port 21 will be used for FTPES.
 

John_Buehrer

Registered
May 18, 2010
3
0
51
SFTP over multiple user accounts ?

Hi, I successfully make these FTPES connections (using Cyberduck on Mac PPC) to a cPanel vendor site on port 21. Each individual user can have his/her own login account and restrictions to subdirectories. This setup meets my needs.

But my vendor says only the master account may open an SFTP account - not individual login accounts (eg, [email protected]).

It's worthwhile to clarify this topic, to avoid having users spend time on FTP client configurations which won't work. (And if this should work, I need further discussions with my own cPanel hosting vendor.)
 

John_Buehrer

Registered
May 18, 2010
3
0
51
FTPES shows buggy behavior with empty folders?

Hi, both my cPanel hosting service and myself have noticed buggy behavior when FTP-viewing empty folders using Cyberduck (iMac PPC) in FTPES FTP mode. The software seems to hang for a minute or so, give a spurious error message, then resume working. Other files and folders view fine.

Have others encountered this problem?
Is it possibly a local configuration error, at the hosting service?
I'm also checking this with the Cyberduck vendor.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Hi, I successfully make these FTPES connections (using Cyberduck on Mac PPC) to a cPanel vendor site on port 21. Each individual user can have his/her own login account and restrictions to subdirectories. This setup meets my needs.

But my vendor says only the master account may open an SFTP account - not individual login accounts (eg, [email protected]).

It's worthwhile to clarify this topic, to avoid having users spend time on FTP client configurations which won't work. (And if this should work, I need further discussions with my own cPanel hosting vendor.)
Correct, only the cPanel account can use SFTP (SSH File Transfer).

However, any FTP account can use FTPS (FTP over SSL/TLS). The FTPES just a type of FTPS.
 

John_Buehrer

Registered
May 18, 2010
3
0
51
... except when it doesn't work.

This is the nature of my FTPES / empty-folder question above. I'm in discussion with my cPanel hosting provided about this, but it's useful to know if other people have encountered problems with FTPES into cPanel software, or whether this is specific to my vendor. Thanks.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Correct, only the cPanel account can use SFTP (SSH File Transfer).

However, any FTP account can use FTPS (FTP over SSL/TLS). The FTPES just a type of FTPS.
When i use FTPS (FTP over SSL/TLS) i am unable to connect to FTP server
Status: Connecting to xxx.xxx.xx.xx:990...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
I am creating FTP users throuh WHM/cpanel where I did not find any option to enable shell access. When I create a user I can able to access only the regular FTP using port 21
Common misconception ...

You DO NOT need to enable shell access to use SFTP

SFTP does indeed make use of the OpenSSH daemon and the same ports as SSH but does not require that the login have any shell access setup and the connection between the two really ends at authentication.

(This incidentally is one of the main reasons why it is a good idea to move the SSH port even if you don't have any users with shell access)
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
I am unable to replicate this issue with:

- cPanel/WHM server running 11.25.1
- Running FTP Server: ProFTPd
- Then Running FTP Server: PureFTPd
- Using primary FTP account for a cPanel account
- Then using a secondary FTP account for a cPanel account
- FTP Client: CyberDuck on Mac OS with PPC architecture (not Intel) using FTPES

I didn't have any hanging nor delay, everything displayed as it should. The only issue I encountered was just that my test server had a self-signed certificate for FTP and I just needed to authorize it.

Nilesh, I tested using port 21 - you may want to try port 21 instead of port 990.

For everyone else, I recommend having someone take a look at the server logs to see what may be causing this issue.
 

cyon

Well-Known Member
PartnerNOC
Jan 15, 2003
314
0
241
Hi cPanelDavidG

We are having this issue with WHM 11.25.0, PureFTPd and a secondary FTP account (we are John_Buehrer's host).

Cyberduck works fine through FTPES, unless there's an empty folder. Browsing an empty folder gives us a "Listing directory failed (I won't open a connection to LOCAL_IP".

Filezilla does not work at all.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Hi cPanelDavidG

We are having this issue with WHM 11.25.0, PureFTPd and a secondary FTP account (we are John_Buehrer's host).

Cyberduck works fine through FTPES, unless there's an empty folder. Browsing an empty folder gives us a "Listing directory failed (I won't open a connection to LOCAL_IP".

Filezilla does not work at all.
I even tried browsing into an empty folder in my testing, unable to generate any errors in my testing. I recommend letting a technical analyst take a look at your server so we can determine the cause of this issue and thus a resolution.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
I am unable to replicate this issue with:

- cPanel/WHM server running 11.25.1
- Running FTP Server: ProFTPd
- Then Running FTP Server: PureFTPd
- Using primary FTP account for a cPanel account
- Then using a secondary FTP account for a cPanel account
- FTP Client: CyberDuck on Mac OS with PPC architecture (not Intel) using FTPES

I didn't have any hanging nor delay, everything displayed as it should. The only issue I encountered was just that my test server had a self-signed certificate for FTP and I just needed to authorize it.

Nilesh, I tested using port 21 - you may want to try port 21 instead of port 990.

For everyone else, I recommend having someone take a look at the server logs to see what may be causing this issue.
Dear cPaneldavidG,

I am using Windows XP (intel) & FileZilla FTP client version 3.3.2.1

Server details as below

cPanel 11.25.0-S45750
WHM 11.25.0 - X 3.9
CENTOS 5.5 i686 virtuozzo

And our FTP server is configured with pure-ftpd

Still i am getting an error when i choose FTPS - FTP over implicit TLS/SSL

Status: Waiting to retry...
Status: Resolving address of example.com
Status: Connecting to xxx.xxx.xxx.xx:21...
Status: Connection established, initializing TLS...
Error: Connection timed out
Error: Could not connect to server

And i am not entering port 998 its detecting bydefault but, as you said use port 21 instead of 998 , getting same error on port 21 also.

And if i choose FTPES - FTP over explicit TLS/SSL & Its working with this, there is no issue atoll

Nilesh
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Dear cPaneldavidG,

I am using Windows XP (intel) & FileZilla FTP client version 3.3.2.1

Server details as below

cPanel 11.25.0-S45750
WHM 11.25.0 - X 3.9
CENTOS 5.5 i686 virtuozzo

And our FTP server is configured with pure-ftpd

Still i am getting an error when i choose FTPS - FTP over implicit TLS/SSL

Status: Waiting to retry...
Status: Resolving address of example.com
Status: Connecting to xxx.xxx.xxx.xx:21...
Status: Connection established, initializing TLS...
Error: Connection timed out
Error: Could not connect to server

And i am not entering port 998 its detecting bydefault but, as you said use port 21 instead of 998 , getting same error on port 21 also.

And if i choose FTPES - FTP over explicit TLS/SSL & Its working with this, there is no issue atoll

Nilesh
Looking at that, it seems the issue is occuring when a TLS connection is trying to be initialized. I was double-checking settings in WHM this morning and found that if you are using Pure-FTPD, there's a setting to disable TLS. I recommend double-checking to ensure TLS is not disabled. This setting is on the FTP Server Configuration screen in the Service Configuration section of WHM.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Implicit FTPS versus Explicit FTPS/FTPES

Please be aware that implicit FTPS and explicit FTPS/FTPES are two different modes of operation for FTPS and, to the best of my knowledge, the implicit mode is deprecated in favor of the explicit mode that is more narrowly referred to as FTPES, versus FTPS that could imply either mode if not verbosely clarified. When configuring the FTP client software, such as FileZilla, please verify to ensure that it is setup to connect using "FTPES - FTP over explicit TLS/SSL".

In FileZilla, selecting "FTPS - FTP over implicit TLS/SSL" will, by default, attempt to connect using the standard port for implicit FTPS, that of TCP port 990; however, a default installation of Pure-FTPd does not operate on port 990 and will not allow implicit FTPS connections unless it is a custom installation that was built using the configure option "--with-implicittls" at compile-time. For clarification, according to the official Pure-FTPd web site and documentation resources the compile-time option "--with-implicittls" is used to build an implicit-FTPS-only server, i.e., one that supports only implicit FTPS and that, I believe, would need to run independently from the Pure-FTPd installation serving plain FTP and explicit FTPS/FTPES.

Regarding ProFTPd, to the best of my knowledge, the default installation and stock FTP virtual host configuration do not operate on TCP port 990; to connect via implicit FTPS the ProFTPd documentation leads me to believe that it would require a custom configuration using a different FTP virtual host that is configured to listen on TCP port 990 serving only implicit SSL (by setting "UseImplicitSSL" via the ProFTPd directive "TLSOptions").

The following are specific resources I used during research of this topic:
  • Resources for general reference:
  • Resources specific to Pure-FTPd:
  • Resources specific to ProFTPd:
    • ProFTPD Bugzilla - Bug 3266 – Support "implicit" FTPS
    • http://www.proftpd.org/docs/NEWS-1.3.3
      1.3.3rc2 - Released 20-Oct-2009
      --------------------------------
      - Bug 3266 - Support "implicit" FTPS.
    • http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3
      1.3.3rc2
      ---------
      + Support for "implicit" FTPS. To enable this, use:
      TLSOptions UseImplicitSSL

      WARNING: Using this setting will cause mod_tls to handle ALL connections to the vhost as implicit FTPS connections. It is NOT possible to support both plain FTP (or explicit FTPS) clients AND implicit FTPS clients on the same address/port. Therefore this setting should ONLY ever be used in order to support braindead/broken FTPS clients, and then only for as long as it takes to fix/replace those broken clients.

      Note that "implicit" FTPS was explicitly DROPPED from the RFC which defines FTP over SSL/TLS; the only clients which use this feature are outdated clients based on older, now-invalidated versions of the specification. Please update your FTPS clients to one which uses explicit FTPS as soon as possible.
    • ProFTPD mini-HOWTO - FTP and SSL/TLS - Implicit FTPS
      Question: How come mod_tls does not support "implicit" FTPS (i.e. automatically encrypting sessions on port 990)?
      Answer: The short answer is because the Draft no longer specifies support for such a mode. Here is a description of why the alternatives to the current mode (client-requested encryption using standard control channel) are "bad".

      The long answer is covered in Eric Rescorla's excellent book, "SSL and TLS". There tend to be two different strategies used when adding new features to a protocol: separate ports for protocol variants, or upward negotiation. Port 443 for HTTPS is an example of the separate ports strategy. The drawback to the separate ports approach is that there is a finite number of ports available, and so this approach does not scale well. The benefit is that use of separate ports tends to require smaller changes to client and server code. Upward negotiation is more flexible, but requires that the protocol support some sort of feature negotiation or extension discovery, allowing clients and servers to easily agree to negotiate "upward" into a secure channel. The authors of the FTPS Draft felt that upward negotiation was the more appropriate of these two approaches for encrypting FTP channels.

      All that said, in ProFTPD 1.3.3rc2, the mod_tls module was enhanced to support implicit FTPS via the UseImplicitSSL TLSOption.
    • ProFTPD module mod_tls - TLSOptions Directive - UseImplicitSSL
      TLSOptions
      [...]
      UseImplicitSSL

      This option will cause the mod_tls module to handle all connections as if they are SSL connections implicitly; the client does not need to send the AUTH TLS FTP command. This can cause issues for FTPS clients which are expecting explicit FTPS, not implicit FTPS.

      Thus if the UseImplicitSSL option is used, you will want to have a separate <VirtualHost> section with a different port number just for those clients which require/expect implicit FTPS.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Looking at that, it seems the issue is occuring when a TLS connection is trying to be initialized. I was double-checking settings in WHM this morning and found that if you are using Pure-FTPD, there's a setting to disable TLS. I recommend double-checking to ensure TLS is not disabled. This setting is on the FTP Server Configuration screen in the Service Configuration section of WHM.
Dear cPanelDavidG,

Yes, we are using Pure-FTPD & i had looked at FTP Server Configuration, The TLS Encryption Support is set to optional.