The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Will SCP work if you don't allow SSH access?

Discussion in 'General Discussion' started by jols, Aug 10, 2009.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I here that SCP uses SSH protocol, so I just want to make sure.

    We no longer allow SSH access for our hosted members. Now some are looking for a different method of securely transferring files and they are not thrilled about having to use FTPS.

    So, I take it that SCP is still functional and can be used by the vsite owners to transfer files around? Yes?
     
  2. bpence

    bpence Registered

    Joined:
    Aug 10, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks Brian Pence. Can you please point us in the right direction for this, i.e. for disallowing shell but allowing SCP?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,475
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    SFTP is enabled for all users regardless of shell. All they need is the correct IP for it and port #

    To find port #; cPanel > FTP accounts > find account username, to the right click, Configure FTP client.


    en.wikipedia.org/wiki/SSH_file_transfer_protocol
     
  5. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Infopro, thanks for this. This is interesting however because earlier we could not get SFTP working with one of the accounts, only FTPS. Perhaps we needed to generate new ssh keys for this?

    Thanks again, I'm a bit of a dummy when it comes to SFTP vs FTPS and the like.
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks but I can't get this to work. When setting up sftp in FileZilla, at first I get the common warning prior to connecting, "The host key is unknown..." Then I clicked Always trust this host, and clicked OK. Then I get:


    Command: Trust new Hostkey: Yes
    Error: Disconnected: No supported authentication methods available
    Error: Could not connect to server

    I am using our SSH (alternate) port, but again, it seems that this will not work because we do not allow SSH access? What am I missing here? Does something in /etc/ssh/sshd_config need to be configured differently?


    P.S. Yes, we do have this at the bottom of the sshd_config file:

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server
     
    #6 jols, Aug 12, 2009
    Last edited: Aug 12, 2009
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,475
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you using the IP address used for SSH? I don't use FZ but you open the Site Manager and add the site there. Select server type > SFTP. Add the IP and port and you should be good to go.
     
  8. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes, but no IP is used by our hosted customers for ssh access because we do not allow ssh access for our hosted customer, thus the problem.

    I have come upon a solution for this by putting together a few different posts on this subject, the method goes like this:

    ---------------
    To allow SFTP access but without shell access, you must first enable (jailed) shell via WHM. But then run the following so they do not have command line/shell access:

    usermod -s /usr/local/cpanel/bin/noshell username

    Of course, replace "username" with the actual account user name.

    Then generate a key pair for the account in question:

    cd /home/userid/.ssh

    Run:
    ssh-keygen
    (Accept the default names, i.e. id_rsa)
    Enter any passphrase and be sure to remember the passphrase used.

    After this two files will be created:

    id_rsa
    ***This is the private key.
    id_rsa.pub
    ***This is the public key.

    Now entering the following:

    cat id_rsa.pub >> authorized_keys

    The id_rsa file is the private key to be used with FileZilla:

    Preferences ---> SFTP ---> add key file.

    Then configure FileZilla with SFTP and port - (insert ssh access port here), the user ID but NO password.

    Remove both files from the on-line account:
    id_rsa.pub
    id_rsa

    Now SFTP transfers work.
    ---------------

    A significant aspect of this is to switch on SSH access for the account, but remove their capability to reach the shell command line:

    usermod -s /usr/local/cpanel/bin/noshell username

    This part was derived from this post:
    http://forums.cpanel.net/f5/strange-sftp-problem-83169.html


    This concludes about three days of research on this one. But if anyone has anything to offer in addition, I would certainly like to know more, Particularly with regard to potential security vulnerabilities that may arise from using this method.
     
  9. bpence

    bpence Registered

    Joined:
    Aug 10, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Sorry I did not reply back sooner, but it seems you have found the solution yourself. You're right in that turning *OFF* SSH altogether not only disables shell access, but also scp and sftp as well. The trick is to leave SSH on, but disable access to the shell as you found.

    Brian Pence


    Celestial Software
    AbsoluteTelnet SSH/SFTP client for windows
     
Loading...

Share This Page