Pure-FTP showing UIDs, not names over TLS

[zmippie]

I've tried searching the forum, but it seems this is not a problem many people have encountered.
I have a CentOS box and I've installed Pure-FTPD, enabled TLS and have a commercial certificate installed as well.
I have passwordless root SSH access enabled and I'm using this for (root) access over (S)FTP. All works well.

But... I'm trying to find out why other users, who have to connect over "FTP with TLS/SSL", don't see the correct user names appear in the file listings (see attached screenshot). Only their own group shows up, but the owner is always the user UID. For other groups, the groups are only shown by ID too.
I'm seeing the correct groups and user names when I access the box over SFTP as root, so it seems it's a protocol thing. The client is Panic's "Transmit" on Mac OS X, BTW.

Any pointers welcome, I couldn't find an option in the PureFTPD docs.

 

[zmippie]

Let me reply with a question after almost a full day of studying the matter: why would you not just use SSH's built-in SFTP instead of ProFTPD or PureFTPD when you're already running the SSHD daemon?

My brother (a sysadmin by trade, not a novice like myself) pointed me to the fact that SSH has SFTP built-in. So I had this "duh!" moment when I realized that there is no need for ProFTPD or PureFTPD to allow for (S)FTP access. You can just require your users to use SFTP, and all is secure.

As always, some tweaks must be done to get everything working in line with how DirectAdmin is set up. But with a (relatively) modern version of OpenSSH (4.9+), this entails not much, really.

I really start to wonder: why isn't this the default in DirectAdmin? Plain-text authenticated FTP should go the way of the Dodo. What are the reasons to keep supporting it?

Forum member scsi asks "What does this have to do with directadmin?" in this thread from 2012. The OP in that thread is trying to sideload an FTP user, which indeed bypasses DirectAdmin's user management entirely. But I think it would make a great default option for DirectAdmin's Custombuild to have this set up automagically.

BTW, the problem I had with FTP over SSL/TLS with the GIDs and UIDs showing instead of the names is solved using SFTP.

 

[SeLLeRoNe]

Simple reply: Because using just SSHD and not PureFTPd/ProFTPd will not permit you to have "virtual users" to create additional FTP accounts for specific path for exmaple

Regards

 

[zmippie]

Simple reply: Because using just SSHD and not PureFTPd/ProFTPd will not permit you to have "virtual users" to create additional FTP accounts for specific path for exmaple

Hmmm... you are, of course, totally right. I hadn't thought of this scenario, I hardly ever have the need for additional FTP accounts, and neither have my clients. But obviously, it should be supported. Looking into this, I see a number of people have asked for virtual user support in OpenSSH's SFTP (e.g. on the cPanel forums), but that it's going right against OpenSSH's authentication system: that of true user accounts with (albeit purposely crippled) shell access.

So I guess it's back to the drawing board: re-instating PureFTPD and try to make it behave and show me the names of groups and users. Any pointers to that would be welcome. OTOH, I noticed that in ProFTPD there's an option to actually *hide* the names of groups and users and show only GIDs and UIDs for added security. Go figure...

Thanks for your take on this SeLLeRoNe. The art of server administration can be daunting at times, but I can't deny it's intriguing to figure out how all these different systems operate, and end up with something that's still working

 

[SeLLeRoNe]

Well i may also give you another reply now after a few things... default SSH port is always suggested to change.. cause with that, you may receive brute force attacs.. and if someone get in (and become root)... serious damages can be done, via FTP its actually hard make damages (unless for the hacked user) and cannot be executed commands neither (i would highly suggest to disable SSH for your custmer).

Have you tryed to re-set permissoins?

/usr/local/directadmin/scripts/set_permissions.sh all

Regards

 

[zmippie]

default SSH port is always suggested to change..

Oh, I did that. And FTP clients let you specify a port, so that was being taken care of.

and cannot be executed commands neither (i would highly suggest to disable SSH for your custmer).

SFTP with the proper restrictions will not allow any other commands than (S)FTP commands. I would advise you to take a look at:

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP

The section on SFTP-only users shows how it works. It works pretty cool. I didn't need the ChrootDirectory option, probably because DA users are chrooted already. And I wasn't able to create a regular SSH session for these restricted users, the server answered something like "Only SFTP is allowed".

Have you tryed to re-set permissoins?

I did that earlier, but I'll give it another shot tomorrow.

Thanks.