How can I add a SFTP account?

Wijs

New member
Joined
Dec 16, 2003
Messages
4
Hello,

One of our customers made a request for a SFTP account. But how can I add a SFTP account??

Thanks,

Wijs
 
ProFTPd doesn't support SSL (as far as i know), you would have to install your own SFTP server.

Chris
 
Bump... it seems we have SFTP running on the DA server where my customer is requesting it. However, our admin is out of town fo the weekend, and I need to know how to add an SFTP account. I'm getting a permisson denied error when I try to connect as that user. Any ideas?

I can log in with other accounts via SFTP, but not this one.
 
Last edited:
Hello,

Other ftp programs would probably not be setup to use the virtual ftp accounts ([email protected]).. so the only login that *may* work (if it's setup) would be the system account (same user/login as DA).. but that's under the assumption user logins are enabled and permitted.

John
 
SFTP is not FTP w/SSL.

For your user to be able to use SFTP, you need to give him a shell account, nothing more, nothing less.
 
Is this still the current answer with the DA ProFTPD Server? I would like to give sftp access without shell access.
 
SFTP has nothing to do with the proftpd daemon. You can find an explanation of it here.

I believe it requires a valid shell to operate and that a valid shell also allows scp.

Proftpd is quite secure as far as ftp is concerned; while it does allow the password to be passed unencrypted, it allows very little to be done with that password, and nothing at all outside the user's directory tree.

Of course for site owners the ftp password is the same as the control panel interface password, and that can be an insecurity.

The good news is that typical hackers have no idea what control panel, if any, is in use.

Jeff
 
Wijs...

Theres no need for either a login setup or an additional server install. Any SFTP/SCP client that uses SSH for authorization will allow your customer to access their webspace using their DA login.

Compared to FTP, there are some differences in what can be done and how, but most of the functions needed are possible, along with quite a few you won't expect.

I usually recommend WinSCP - a GPL Windoze app available here: http://winscp.net

If they use a Mac or linux, I'm sure there are several others that will work as well.
 
Our policy is not to give shell access at all so the sftp is out of the picture. Sad part of reality but necessary in todays world.
 
Tauvo...

SFTP isn't related to shell accounts. It's a secure transfer/copy protocol with limited command access and SFTP/SCP users are bound to the same permission constraints and paths that their web account entitles them to, so no access to other system or 'non-owned' files are possible.

Think of it as DA access without DA :)
 
ApSpecialists,

My understanding and experience is that SCP allows the same access to the server as ssh does, and anyone using SCP connectivity can also use SSH connectivity, so I'm not sure what you mean.

Can you explain?

Thanks.

Jeff
 
Jeff... As far as I understand it you're correct.

WinSCP for instance, authenticates the session - and sends 'some' data - via ssh, and other data with SCP or SFTP. It's dependant on the data type and the packet size the protocol can handle - along with what's allowed within each. SCP and SFTP kind of ride on top of the ssh session like a carrier wave, with all of their inherant functions available... in my case, on a DA RedHat E3 box with no additional servers installed, so I assume anyone could use it as well.

No matter what's done (copy / delete / permissions), it's based on the same ssh authorizations the user is setup with. It will transparently bounce between protocols to perform it's functions, but it never goes outside of the restrictions/perms placed on the account by ssh.

Better than any clumsy explanation I could give, theres quite a bit here: http://winscp.net/eng/docs/protocols

As a side note: For me, using SCP/SFTP is far more efficient than bouncing between FTP and DA, plus a terminal and Putty for command access - with all of it secured via ssh. It certainly doesn't replace DA, but it compliments it. With my root login I have access to the entire file system, just like I'd use Explore or Norton Commander. I haven't used FTP or Vi/Pico in years.
 
If you are able to use WinSCP without the user account having ssh access to the server I would be very interested in how you are doing this.

From the WInSCP FAQ:

Can I connect to FTP server?
No. Neither are there are plans to support FTP in the near future.

WinSCP supports only SCP/SFTP protocols over SSH.

http://winscp.net/eng/docs/faq_ftp
 
ApSpecialists said:
No matter what's done (copy / delete / permissions), it's based on the same ssh authorizations the user is setup with. It will transparently bounce between protocols to perform it's functions, but it never goes outside of the restrictions/perms placed on the account by ssh.
Which means that any users who can use SCP can also use SSH. Most of us don't want to give our users SSH access. so we can't give them SCP/SFTP access.

Jeff
 
Tauvo / Jeff... We have removed Telnet, but do allow ssh along with ftp access, and yes... ssh (either 1 or 2) is required to use SCP/SFTP. Our service setup is a little different from the average, and I do tend to forget that once in a while, so it didn't occur as I posted that others may not routinely offer ssh. Once again I learn the lesson on 'assuming' :D

The only accounts we have are strictly for business use - no personal sites, blogs, etc., and with business customers ssh is often required by them since clear text transfers of their data is not an option - among other things. That also means that with that caliber of customer, we have close to zero abuse issues or the expected problems that others may have, and they do appreciate the 'enhanced' service and are willing to pay a little more to get it.
 
I know what you mean about assuming. So I never assume.

Of course I presume a lot :) .

You should probably disable SSH v1 and only allow SSH v2, by now any reasonable SSH, SFTP, or SCP client will use it, and SSH v1 is insecure.

Jeff
 
jlasman said:
You should probably disable SSH v1 and only allow SSH v2, by now any reasonable SSH, SFTP, or SCP client will use it, and SSH v1 is insecure.

Jeff [/B]
Yes, We use ssh2... but WinSCP will use either.
 
Back
Top