Some issues regarding SFTP

Alrik

Registered
Feb 10, 2010
3
0
51
Hi there,

I've encoutered some issues when trying to use SFTP on a cPanel server.

Since FTP is an old and insecure protocol is would like to use SFTP.

The problem with SFTP is that an user can see system directorys and files when the user does an cd and ll or ls when in the root directory.
Shell acces is turned of for the users, so they can't do any shell commands.

I want to jail users who log on through sftp to their home directory.

Has anybody else encoutered the same problems and found a good way to solve this issue while keeping things integrated with cPanel?

I found some fixes on the net, but they involved adding users manualy to gain ftp access, i'm looking for a solution with integration in cPanel.
 

Alrik

Registered
Feb 10, 2010
3
0
51
Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
12
313
Houston, TX
cPanel Access Level
Root Administrator
Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.
But wouldn't customers just use the same software they're using now for SFTP? Many FTP clients that support FTPS also support SFTP.

If you are concerned about spyware sniffing unencrypted traffic, you could use ProFTPd and configure it (via WHM) to only accept encrypted (FTPS) connections.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,985
218
343
cPanel Access Level
Root Administrator
I don't really see how FTP, SFTP, FTP over explict TLS, etc. really makes any difference in regards to these spyware/trojans/malware.

I am assuming users are storing their password in the FTP application's site manager. Which if that is the case, why does it matter how the password is passed to the FTP server? The compromise has already been made. The compromise is through the FTP application and storing the FTP password.

Maybe I'm missing something, but I've never really understood how passing the password in an encrypted manner is going to help with this.

If a user has a malicious piece of software running on their computer, they need to be taking steps to remove the software.
 

rackaid

Well-Known Member
Jan 18, 2003
89
28
168
Jacksonville, FL
cPanel Access Level
DataCenter Provider
Hi there,

The problem with SFTP is that an user can see system directorys and files when the user does an cd and ll or ls when in the root directory.
Shell acces is turned of for the users, so they can't do any shell commands.
I need to see if this will work in cPanel but on Plesk, I modify the shells permitted.

With SFTP, you can set up an SFTP only shell. While users can still browse around to other directories it does limit shell access.

Also will need to check the docs to see if the jail shell programs can be modified to work with SFTP.
 

Alrik

Registered
Feb 10, 2010
3
0
51
I need to see if this will work in cPanel but on Plesk, I modify the shells permitted.

With SFTP, you can set up an SFTP only shell. While users can still browse around to other directories it does limit shell access.

Also will need to check the docs to see if the jail shell programs can be modified to work with SFTP.
The only problem right now is showing all directories, users can't execute shell commands.
SFTP would be perfect if an user only could see their home dir and nothing else.

@everybody pointing out the malware issue:
Yeah, if an users sw is compromised it does not really matter wich protocol is used. On the other hand, if only the data transmited is sniffed, then a secure protocol would improve security a lot. Let's say it would be a improvement in security not a complete solution.
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
The only problem right now is showing all directories, users can't execute shell commands.
SFTP would be perfect if an user only could see their home dir and nothing else.

@everybody pointing out the malware issue:
Yeah, if an users sw is compromised it does not really matter wich protocol is used. On the other hand, if only the data transmited is sniffed, then a secure protocol would improve security a lot. Let's say it would be a improvement in security not a complete solution.
I have complained about this and it seems no one at cpanel seems to think it is an issue.
 

tylerl

Active Member
Dec 11, 2009
28
0
51
rssh

Yeah, that is also an option. But i would prefer jailed SFTP.

One of the reasons for sftp usage is the recent virusses that seem to be capable to nest themself in ftp software.
Check out rssh. It has exactly what you need. It's a jailed shell that you can configure to support only SCP/SFTP (and a few others like rsync if you want) as well as create a chroot jail.

Some assembly required.