cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

SNI support for FTP

benny@cpanel.net shared this idea 5 years ago
Open Discussion

As a server administrator, I would like cPanel to add SNI support to cover FTP remote access via TLS/SSL.

Replies (7)

photo
3

Definitely please. This would help to whitelabel the services for resellers.

photo
4

Please this is long overdue. In todays world were most users are not tech-savvy and they should be using SSL/TLS to connect, getting constant warning pop-ups due to security implementation from browsers makes it a huge support hassle for companies. Can we have this added soon?

photo
3

This is now possible with the production release of ProFTPd 1.3.6. We will investigate adding this feature in an upcoming cPanel & WHM release.


Incidentally, there still does not appear to be SNI support in Pure-FTPd; unless that changes, SNI support for FTP will require ProFTPd.

photo
2

There is an open feature request to ask the developers of Pure-FTPD to support SNI. Please consider adding your constructive comments and support for this feature there: https://github.com/jedisct1/pure-ftpd/issues/72

photo
2

How necessary is this?


I thought the major push was more towards SFTP, rather than FTP over TLS.


Personally, I like ProFTPd's rendition of SFTP better than tying it directly to OpenSSH. This can also be made to support virtual FTP users.


I only bring this up because I question whether it's worth the time and effort to implement this for FTP, when SFTP is probably a better alternative.

photo
2

I think this site is a good place to have this conversation. There are a number of users that still use FTP and would like to be able to use FTPS. Would webhosts find it problematic to start pushing users to SFTP?

photo
3

Any sensible webhost should have their SSH on a non standard port, and closed to the world.

This makes FTPS rather than SFTP essential.


Seperate to this, I am also aware of a number of client web design apps (Serif Pageplus I think is one some of my clients use) that do not support SFTP at all.

photo
3

SFTP does not work for the add-on FTP accounts. FTPS, in the cPanel ecosystem, is the only secure way to allow someone access to a directory in your account, short of giving them the entire keys to the kingdom. Put another way, the only way to use SFTP is to use the master cPanel username and password, which is not acceptable in some situations. To be clear, FTPS does work as-is, but users are presented with a certificate mismatch warning, causing concern (and support tickets).

photo
1

See:


https://features.cpanel.net/topic/sftp-access-for-virtual-ftp-users


That's kind of my point. If you're going to invest time into pushing ProFTPd as the default FTP daemon or working with PureFTPd to patch their system, why not just add mod_sftp support to ProFTPd, switch to ProFTPd, and call it a day?


SFTP is just cleaner, at least to me.


With FTP and TLS, are both control and data channels encrypted? It used to be that FTP clients would only encrypt the control channel, not the data channel. Meaning that as you uploaded or downloaded files, it was still a plain, unencrypted transmission. That may not be the case any longer.


SFTP just doesn't deal with control and data channels.


Having said all of that, there's probably still some applications that still require plain ol' FTP, I don't know if there's going to be much of a way around that. Even cPanel's own backup system doesn't support SFTP (it does support SCP, but that's not the same thing as SFTP. SCP requires an actual shell).

photo
3

I agree with Scott Neader's points.

On the cPanel servers that I've tested, FTPS is encrypting the data channel also ("PROT P" command being issued and accepted).


I thought that you needed SSH access enabled for a user to be able to use SFTP?

If so, very few hosts offer SSH without a premium cost attached.

Some hosts are altogether removing SSH access as an option to users.

Filezilla defaults to try and use FTPS now.

Based on this, I'd say that this is still necessary as FTP over TLS is still the main method of transfer being used.

photo
2

My understanding is that ProFTPd can, via mod_sftp, host its own SFTP service independently of OpenSSH; thus, shell access via SSH is not strictly necessary for SFTP.

Pure-FTPd doesn’t support SFTP, though, so for cPanel hosts that will continue to prefer Pure-FTPd there would need to be that flexibility in the deployment.

Two other considerations:

  • FTPS provides (arguably) stronger authentication than SFTP. SFTP’s authentication only ensures that the client is connecting to the same server as previously, whereas FTPS ensures that the server is, in fact, the intended server by name.
  • Tangential: in v72+, cPanel hosts that want to offer shell access to users without exposing SSH can give those users the new Terminal UI.

photo
1

Doesn't cPanel's own SFTP operate if the user's shell is set to /usr/local/cpanel/bin/noshell ?


But still doesn't solve the Virtual Users problem, which mod_sftp with Proftpd can.


Are MITM attacks with FTP really an issue? I've never really understood the whole MITM thing anyway. How many of you know of clients that stop everything they are doing when they get a certificate mismatch error? Most accept the certificate and carry on. Most people only raise an issue when it happens over and over again, like ever 3 months when a new Let's Encrypt certificate is generated. I'm not saying this isn't an issue and shouldn't be a concern, but until the general public learns not to accept mismatched certificates, then who are we preaching to?


Back on topic... If you want to put SNI support into FTP (PureFTPd or ProFTPd) that's fine, I don't have an issue with doing that. But if you're going to do that, I think you should look into adding mod_sftp into ProFTPd, or just scrapping the whole OpenSSH SFTP and creating an SFTP variant using ProFTPd with mod_sftp.

photo
1

FTPS is the better solution for clients, they usually don't know how to setup FTP clients, and the default is FTP with TLS in Filezilla for example... so why go against the tide...

And i also agree that opening SSH port public might be a risk.

photo
7

Pure-FTPD now supports SNI, so I think there is no technical reason anymore to hold back this feature implementation at this time.

https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

photo
6

As a web host, we have FTP open because many of our customers are used to this method of accessing their site. I prefer to keep SSH disabled for any users except myself as it does introduce a whole additional level of security complexity.

Simply put, SFTP is a great technology, but is generally the domain of more advanced linux users (and admins) and not the average Joe. The average Joe uses something like FileZilla and is at least peripherally aware of how to use FTP. Enabling FTPS and setting both Data and Command Channels to require encryption is the right choice for cPanel as it's FTP is mostly used by average Joes.

That said, we need to get SNI enabled for FTPS ASAP now it is supported upstream.

photo
1

Because of the malicious traffic to SSH on port 22, many hosts (ourselves included) either disable or use short IP allow-lists.

FTP over TLS is a good compromise from both a practical and security perspective.

photo
photo
2

I have tryed FTP on some resellers, and never have found a working valid configuration of FTP certificates for the end user. But most of them have the SSL cert working fine, therefor i believe the funtionality of leting the user admin the ftp cert as they do with the rest of the site cionfig would be an improvment over whats seen on the field.

photo
2

I subscribed to the rss feed to get updates, you have the body and the subject mixed up. Very strange output on clients...

photo
photo
4

Pure-FTPd recently introduced support for SNI certificates in version 1.0.48, current release 1.0.49. It's now time for SNI support for FTP services certs in cPanel. Please provide a status update of this request. Thanks!


From Pure-FTPd website announcement:

  • SNI support has been added. A new service, pure-certd, can run external code written in any language in order to map SNI names to TLS certificates.

photo
1

We do not have an update at this time.

photo
1

Great news, hopefully cPanel will soon update pureftpd to the latest version and implement SNI SSL 🙂

photo
Leave a Comment
 
Attach a file