The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some issues regarding SFTP

Discussion in 'General Discussion' started by Alrik, Feb 10, 2010.

  1. Alrik

    Alrik Registered

    Joined:
    Feb 10, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    I've encoutered some issues when trying to use SFTP on a cPanel server.

    Since FTP is an old and insecure protocol is would like to use SFTP.

    The problem with SFTP is that an user can see system directorys and files when the user does an cd and ll or ls when in the root directory.
    Shell acces is turned of for the users, so they can't do any shell commands.

    I want to jail users who log on through sftp to their home directory.

    Has anybody else encoutered the same problems and found a good way to solve this issue while keeping things integrated with cPanel?

    I found some fixes on the net, but they involved adding users manualy to gain ftp access, i'm looking for a solution with integration in cPanel.
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    You might want to use FTP over Passive TLS instead of SFTP. That way you don't have to open port 22 or SSH access for your users, and their connections will still be secured via SSL certificate. You can set up an SSL in WHM > Service SSL Certificates
     
  3. Alrik

    Alrik Registered

    Joined:
    Feb 10, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Yeah, that is also an option. But i would prefer jailed SFTP.

    One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    But wouldn't customers just use the same software they're using now for SFTP? Many FTP clients that support FTPS also support SFTP.

    If you are concerned about spyware sniffing unencrypted traffic, you could use ProFTPd and configure it (via WHM) to only accept encrypted (FTPS) connections.
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I don't really see how FTP, SFTP, FTP over explict TLS, etc. really makes any difference in regards to these spyware/trojans/malware.

    I am assuming users are storing their password in the FTP application's site manager. Which if that is the case, why does it matter how the password is passed to the FTP server? The compromise has already been made. The compromise is through the FTP application and storing the FTP password.

    Maybe I'm missing something, but I've never really understood how passing the password in an encrypted manner is going to help with this.

    If a user has a malicious piece of software running on their computer, they need to be taking steps to remove the software.
     
  6. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
  7. rackaid

    rackaid Active Member

    Joined:
    Jan 18, 2003
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Jacksonville, FL
    cPanel Access Level:
    DataCenter Provider
    I need to see if this will work in cPanel but on Plesk, I modify the shells permitted.

    With SFTP, you can set up an SFTP only shell. While users can still browse around to other directories it does limit shell access.

    Also will need to check the docs to see if the jail shell programs can be modified to work with SFTP.
     
  8. Alrik

    Alrik Registered

    Joined:
    Feb 10, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    The only problem right now is showing all directories, users can't execute shell commands.
    SFTP would be perfect if an user only could see their home dir and nothing else.

    @everybody pointing out the malware issue:
    Yeah, if an users sw is compromised it does not really matter wich protocol is used. On the other hand, if only the data transmited is sniffed, then a secure protocol would improve security a lot. Let's say it would be a improvement in security not a complete solution.
     
  9. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    I have complained about this and it seems no one at cpanel seems to think it is an issue.
     
  10. tylerl

    tylerl Active Member

    Joined:
    Dec 11, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    rssh

    Check out rssh. It has exactly what you need. It's a jailed shell that you can configure to support only SCP/SFTP (and a few others like rsync if you want) as well as create a chroot jail.

    Some assembly required.
     
Loading...

Share This Page