cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

SFTP access for virtual FTP users

Nathan Lierbo shared this idea 8 years ago
Open Discussion

As a website owner or webhosting provider, I would like cPanel to include SFTP support for virtual users, rather than only the primary cPanel account's user, to allow me to disable FTP access on my server.

============================

Context, from cPanel:

An SFTP subsystem for virtual ftp users would require quite a bit of work due to the nature of SFTP. We wrap around the SFTP subsystem that comes with OpenSSH and the big drawback to this is that it requires a valid shell in order to work properly.


For situations where encryption is needed, FTPs is a good alternative to use with virtual FTP users as they don't need to have a valid shell and all authentication/transfers occur on an encrypted fashion.


However if SFTP for virtual users is something you'd like to see in our product, vote here.

Comments (18)

photo
1

My use case is I used a cloud-hosted repository that does deployments for me. So I don't want to give them un-encrypted credentials and I don't want to give them access to my Cpanel login.


So I figured I'd create a sub-FTP (virtual) account and have them use that. But since SFTP won't work for virtual accounts, I have to give them plain FTP credentials which can get sniffed anywhere along the way. Yikes.


I could give them my main account credentials, but then they'd have access to my Cpanel account. Yikes!


SFTP should be standard across all accounts, virtual or not.

photo
1

A separate user management for ssh,sftp etc in WHM could be a start.


Currently you have to do it from the console e.g.:

http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

photo
1

I actually just stumbled on this exact issue. I know this is an old idea (3+ years) but gosh if this were possible it would make some of my clients really happy. They're running in to an issue where they have data they want extracted automatically and these types of systems that fetch and process said data love connecting using SFTP. It just dawned on me that has nothing to do with plain old FTP (or FTPS) in cPanel because SFTP is SSH. I actually have never configured SSH for any of my clients. Let alone virtual users.

So definitely +1 in my book for this.

Added bonus - allow SFTP while still preventing users to use SSH. To me that sounds stupid and impossible, but apparently it is - http://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh

photo
1

Kyle, if you need help setting up SFTP on your server, let me know, I'd be more than happy to help you set it up. I have some advice for you though.


1) Run your SSH server on a non-standard port (like 22735 or something). When it's running on the default port (port 22), there always seems to be a lot of brute-force type of attacks.


2) Disable keyboard authentication all together. If, by some chance, an outside intruder finds what port your SSH server is running on, it wouldn't matter. Require only keys or require both keys and keyboard authentication.


3) Use a free server like scanmyserver.com to try and detect exploitable services on your server. It's free, they use Nessus I think to scan your server and you can search google looking for solutions.


On my server, I have ConfigServer Firewall installed (it even has a cPanel plugin so I can do everything from cPanel), I also have rkhunter, chrootkit, clamAV, and ModSec installed. I setup a whitelist to allow the scanmyserver.com servers through all this protection, so they're not blocked while trying to find bad stuff. I run my SSH server on a non-standard port number and only allow SSH key authentication. If you try connecting without the proper key, you cannot login, no matter what. I take my SSH key and keep it on a thumb drive and I've configured SSH so when I try connecting to my server, it loads the key off the thumb drive. If the thumb drive is not in the computer, there's no way to connect to my server via SSH. To my knowledge, not one person has attempted to connect via SSH on port I have it running, whereas before, when it was running on port 22, there were thousands of attempts a day.


Best of luck and if you need any help, please let me know.


Thanks!

photo
photo
1

Personally, I think regular FTP should not be an option, or at least, not so easy of an option. I've talked to users on GoDaddy's support forums who were using it, having no idea that it was sending credentials plain-text. A person could secure certain FTP servers a bit, but I personally think cPanel should be pushing users towards SFTP. I like Kyle's idea with giving users an option to enable SFTP but disable SSH access. I did not know this was allowed.


I think cPanel should have more options for configuring SSH in WHM / cPanel. There's no options to change the port number, no options to disable various features. I think there should be a section, much like the Apache configuration section (or at the very least, the Mutli-PHP INI editor), were we can edit the configuration file in WHM / cPanel.


Also, I think when a user account is created in cPanel / WHM, there should be an option to enable or disable SSH / SFTP access for that user (and it should be disabled by default). I feel a person should be able to add an SSH / SFTP user without having to create a cPanel account but should have the option when creating the SFTP / SSH option, to also create a cPanel account. Is this called a virtual user? Where they don't have a cPanel account, but have a system account or vice-versa? Thanks!

photo
3

Would using mod_sftp for ProFTPd work better for something like this?


This would separate SFTP and SSH access completely.


It would require SFTP to run on a different port than SSH, but there's not really a common SFTP port anyway and most people are advised to change their SSH port from the standard port 22.


ProFTPd would allow you use to use AuthUserFile which could be utilized for virtual FTP users.


There may be other FTP daemons that mimic SFTP. ProFTPD is just the only one I'm aware of.


I just thought I'd mention it, thought it might be an avenue to explore.

photo
3

I have compiled "mod_sftp.so" on another machine, copy it over to cPanel machine into folder "/usr/libexec/proftpd" and add to the configuration :


  1. SFTPEngine on
  2. SFTPLog /var/log/proftpd-sftp.log
  3. SFTPHostKey /etc/ssh/ssh_host_rsa_key
  4. SFTPCompression delayed

and it works with current virtual users under cPanel virtual FTP users. So if cPanel starts providing proftpd server with sftp module it should be easy to change from FTP to SFTP or run additional port for SFTP.

photo
1

I have just gained a new customer that needs SFTP access to support the United States Postal Service requirements to upload to his site.

photo
1

Would be nice to get this added to support secure FTP connections to additional FTP users.

photo
1

With cPanel moving to remove FTP this is now required. We still have customers who need FTP so I hope FTP will be kept and SFTP added.

photo
1

With v86 disabling FTP by default for new installations, this becomes more necessary as the current alternative for sub-users to upload files will be limited to only WebDisk.

photo
1

SFTP is harder to secure than FTPS. Disabling FTP by default is a good idea, as it forces the customer to decide to enable it, reducing the attack surface unless they do enable it. If we enable SFTP, you open SSH which is a much bigger can of worms. I would much prefer to see FTPS with SNI added.

photo
1

Enabling SFTP does not necessarily imply enabling SSH.

There are SFTP only servers too that does not support shell login at all such as SFTPGo that is free and open source

photo
photo
1

There's no difference in "harder" for securing. An open port to the Internet is an open port. Any application will take work to secure to "your" satisfaction regardless of what is default or included.

The cPanel server is specifically designed to have these services open to the Internet and available. If you disable some of the cPanel security features to make things easier, you will take away from the security they have already included with these services.

In general, IMO, every server administrator will use SSH to manage the server. Turning that off just is not an option. FTP on the other hand only has one purpose, to transfer files. This can be done many different ways, so FTP service itself really isn't necessary for the function of the server or transferring files.

Making these other, already necessary services available to use for transferring files in the same secure way FTP does with dedicated users is the better way, and just remove the FTP service altogether. That will remove a port exposed to the Internet that can be possibly exploited and make the server a "little" more secure.

photo
1

A properly secured server will have SSH blocked either at the firewall or gateway, with exceptions for the Admins IP and any server that needs to communicate over SSH (I belI eve it is one of the methods for DNS clustering, if I recall correctly, and you will want to open it to your monitoring server as well).

photo
photo
2

This is absurdly simple to resolve... see my comment from 3 years ago.

SFTP does not have to be linked to OpenSSH.

I suggested ProFTPd with mod_sftp - but Nicola Murino may have a different solution with SFTPGo (I really haven't heard of this product). But the point is... there are other FTP daemons out there that support the SFTP protocol and are in no way, shape, or form attached to OpenSSH... you couldn't get direct shell access from these daemons if you tried.

In my own opinion... that is the solution to this. Abandoned the linkage of SFTP to OpenSSH and install a separate FTP daemon for the sole purpose of providing SFTP access (that can be ProFTPd with mod_sftp, SFTPGo, something else... I don't know). Whatever SFTP daemon you choose for this, block off regular FTP access and enable just SFTP access. And here's the real kicker... you don't have to wait for cPanel to make a pretty link in the WHM to enable this... you can do it on your own. If you have root, you can install anything you want on a server and poke a hole in your firewall to allow access. We've been doing this with ProFTPd and mod_sftp for... well... at least 3 years.

photo
1

You are thinking like an Admin, not an end user. SFTP is great if you understand how to use it, but in most implementations an end user will be using, it is more complex to setup than FTPS. As @Monarobase mentions, most tools support FTP, and an many cases FTPS by extension (I had to convert an old Perl script to use FTPS a few years ago. We looked at both SFTP and FTPS. FTPS was a simple as using NetSSLGlue as a drop in replacement, whereas SFTP would have required a rewrite.) And the ultimate test, the most common FTP client, FileZilla, supports FTPS by default.

photo
1

Wait? What? Huh?

What normal end-user is using a perl script to FTP things?

A normal end-user uses an FTP client, put in a hostname, puts in a username, puts in a password, puts in a port number, clicks connects, drags and drops file from the local side to the remote side or vice versa. The average end-user has no clue if the protocol is FTP, FTPS, or SFTP.

Now in your case, maybe you were working with a perl script and had issues. I'm not meaning to ignore the issues you faced and your concerns may certainly be valid. BUT... how many normal end-users use perl? How many normal end-users even know what perl is? 1 in a 100? 1 in a 1000?

The purpose of switching to a more secure FTP protocol by default is to affect the masses in the best way possible. I happen to think SFTP with it's own non-OpenSSH FTP daemon is the best solution (mainly because there's only one connection port necessary unlike FTP which will use a control and data channel). You do not agree... that's what this feature request discussion is for.

But I still don't think typical end-users are going to know what secure protocol they are using as long as it works.

photo
1

I was trying to provide two points of view... End user with an FTP client/website development application, and on the flip side, that of a developer of an existing application that is looking to add support for some form of secure FTP transfer. On the latter, in a peel script I had to modify to support secure FTP, I observed it was much easier and quicker to use a drop in replacement module that supports both FTP and FTPS, than to rewrite it to support a SFTP module. As developers are usually time constrained, the quicker change is much more likely to be made... what I am trying to say is if an existing web development tool supports FTP, odds are the developer will invest the time to support FYPS, but less likely to support SFTP.

photo
photo
1

SFTPGo looks very nice, with an API, and possibility to allow password or pub key auth for each user. cPanel would obviously have to audit it internally from a security and a maintainability perspective but it looks very appealing !

Sadly some apps still can't do anything other than FTP so FTP should be kept, not installed by default but still kept so hosts who need it can install it any maybe when it is installed give users the option to choose between the two when they create a new account.

photo
2

ProFTPD+mod_sftp and SFTPGo basically do the same job.


SFTPGo is a quite new project while ProFTPD is far more mature but SFTPGo has a very different approach:


- It exposes REST API for users management, backup, restore and real time reports of the active connections with possibility of forcibly closing a connection

- it has builtin support for custom actions on file upload, download, delete, rename

- permissions are virtual and not related to filesystem permissions

- upload resume is supported (the last time I tested this in ProFTPD it didn't work)

- it supports serving local filesystem, S3 Compatible Object Storage and Google Cloud Storage over SFTP/SCP

- it is very hackable, you can easily setup your own multi factor authentication, or use your own authentication system

- it expose prometheus metrics

- it works on Windows and MacOS too

- some selected SSH commands are supported, for example Git and rsync

- it supports many other features, you can take a look at the GitHub project page.


ProFTPD can do many of these things too but with a much ugly configuration syntax (this can be opinable)


Regarding security SFTPGo use the Golang SSH stack that is maintained by Google.

Red Hat provides, on RHEL, a Golang stack that is FIPS 140-2 validated.


DISCLAIMER: I'm the author

photo
1

It would be nice to have this feature out the box, especially since plain FTP is now disabled by default for new installations (https://cpanel.net/up-next/ftp-disabled-by-default/)

It is also handy using the virtual users so things like GDPR can be considered with data being made available/restricted by given path for the selected users, rather than having to faff about with the terminal which can be rather overwhelming/huge learning curve to some end-users

It would be super if this can be in place for v88 (though should have been there for v86 IMO)

photo
4

It looks like cPanel added mod_sftp at some point to the proftpd installation because I have it in 1.3.6.c.

Here is the relevant part of "proftpd -V"


'--with-modules=mod_tls:mod_wrap:mod_sftp'

Here is what I added to enable SFTP in /etc/proftpd.conf

<IfModule mod_sftp.c>
  SFTPEngine on
  SFTPLog /var/log/proftpd-sftp.log
  SFTPHostKey /etc/ssh/ssh_host_rsa_key
  SFTPCompression delayed
</IfModule>
However, this did not work because mod_tls took over the connections and I got "authentication request for user 'user@example.com' blocked by 'USER' handler" and "disconnecting <IP> (Protocol error)".

To get it to work I commented out the entire <IfModule mod_tls.c> section. After that SFTP worked with FTP virtual users. Beware, this will disable FTPS!"

photo
3

To add to my previous comment, cPanel kept overwriting my /etc/proftpd.conf file and adding back the mod_tls block which broke my SFTP server.

To fix this I copied my SFTP conf to /etc/proftpd-sftp.conf and put this in /etc/systemd/system/proftpd.service.d/override.conf

[Service]
ExecStart=
ExecStart=/usr/sbin/proftpd -p 0 --nodaemon --config /etc/proftpd-sftp.conf

I also had to disable ftp service watching in chkservd.

photo
photo
1

Fast forward to 2020. So glad I found this post and Nicola's suggestion as I had been looking for a solution to add SFTP support to cPanel accounts that are not root users for some time. Seems strange that cPanel still doesn't support this as standard, but to be honest there is a very good alternative.

I run a service that allows dozens of data feed providers to upload data to my site through their own dedicated FTP folder and although FTP works most of the time, I had come across times were some users wanted to use SFTP instead as that was either all they could use or Passive/Active FTP just wasn't reliable enough.

Anyway...

My solution was to use SFTPGO. The default install has FTP turned off so you can easily run this side by side with the regular FTP cPanel provides including existing folders users are uploading to. Furthermore the API is pretty easy to use with basic HTTP authentication so I was able to add this into my existing workflow that already generates FTP accounts using Curl and the cPanel API. Now both FTP and SFTP support is created at the same time with the same credentials, just different protocol and port numbers.

SFTPGO is really cool and comes with better features for folder permissions and filtering than cPanel does, It seems well maintained on GIT and has good documentation. I highly recommend trying it out.

Leave a Comment
 
Attach a file