time to have sftp enabled please guide me
- Thread starter jnet
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Have you tried searching these forums?
I believe that if you do, then you must allow all users use of ssh.
Does anyone know of a workaround?
Jeff
I believe that if you do, then you must allow all users use of ssh.
Does anyone know of a workaround?
Jeff
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
I get confused with sftp and ftps. I am sure tillo knows and can give a better answer than me.
One you have to give ssh access like Jeff said and the other I believe you have to recompile proftp from source. I do not think it is a simple thing to do.
One you have to give ssh access like Jeff said and the other I believe you have to recompile proftp from source. I do not think it is a simple thing to do.
is it same with cpanel too?
does that mean those who are using cpanel have to have ssh access?
these days many do not want to use ftp but giving ssh access is not what I am looking for at all
now supposing one does have ssh access
how to connect?
do I need more to do before this feature enabled?
does that mean those who are using cpanel have to have ssh access?
these days many do not want to use ftp but giving ssh access is not what I am looking for at all
now supposing one does have ssh access
how to connect?
do I need more to do before this feature enabled?
Those 'worms' can easily attached to your files even if you are using a 'secure' connection.
once you are infected it's very easy to modify and attach any code to pages that are being uploaded.
What about enabling TLS FTP and connect to the ftp server using SSL? Should do the work too.
for more information about tls and proftpd:
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
once you are infected it's very easy to modify and attach any code to pages that are being uploaded.
What about enabling TLS FTP and connect to the ftp server using SSL? Should do the work too.
for more information about tls and proftpd:
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
Last edited:
floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,255
If you have cpanel then you need to go to the cpanel forum and ask them.
However this is really not a cpanel OR directadmin issue.
Thanks all for response. OK I understand that a user needs to have ssh access
I know that it will not prevent worms but the point here is just a better way ( more secure way) of uploading
Just let's focus on that.
How can I enable sftp that is all! for one special user who already has access to ssh.
I know that it will not prevent worms but the point here is just a better way ( more secure way) of uploading
Just let's focus on that.
How can I enable sftp that is all! for one special user who already has access to ssh.
do you mean? recompile proftp from source?
No. SFTP is a transfer method which uses SSL to transfer files. If you enable shell access for a specific user, any SFTP client should be able to connect to that host by SFTP.
Though I doubt this will stop the uploading of worms or trojans to your server. There won't be any ClamAV or other antivirus call on these transfers. Why do you think this would be more secure in the way you described?
Though I doubt this will stop the uploading of worms or trojans to your server. There won't be any ClamAV or other antivirus call on these transfers. Why do you think this would be more secure in the way you described?
tillo
Verified User
Let's clarify the situation a little:
In reality, there are two ways of using the so called "SFTP protocol" with an FTP client without having to enable SSH access.
I hope I'm being clear enough. If you have further questions just ask.
And for those still using the term SSL, make sure you call it TLS. That's the name for the latest SSL protocol (v3).
- FTP
File Transfer Protocol
It's a protocol devoted to the transfer of files
- FTPS
File Transfer Protocol Secure
It's the exact same protocol with a layer of TLS encryption for the command channel.
Transfered files are not encrypted, therefore it's pretty useless and gives a false sense of security.
No one should ever use FTPS, it's a joke.
- SSH
Secure SHell
It's a protocol devoted to the execution of programs (also called a "virtual terminal" or "shell") with an encryption layer very similar to TLS.
- sftp-server
It's a program created specifically for the SSH protocol that helps transfer files (you can transfer files even without the sftp helper, just by using the stdin and stdout handlers).
Many FTP clients support SSH+sftp and they call it "the SFTP protocol", which in fact doesn't exist.
There is no such thing as the SFTP protocol, unless you are talking about the "Simple File Transfer Protocol", which is a very old protocol, later replaced by FTP.
Using sftp all commands and files are encrypted, it's the only "easy" safe method known today to transfer files.
An alternative is WEBDAV via HTTPS, but it's not supported by many FTP clients and is also difficult to implement.
In reality, there are two ways of using the so called "SFTP protocol" with an FTP client without having to enable SSH access.
- Still with OpenSSH, but with sftp-server as shell
First, set the shell of the user to the path of sftp-server (usually "/usr/lib/openssh/sftp-server") with "chsh".
Second, OpenSSH still needs to see a valid shell to let the user login via SSH, so you have to append the path of sftp-server to the file "/etc/shells".
Third, allow SSH login then check that the shell is still sftp-server (I think that DA changes that when enabling SSH) in "/etc/passwd". If it's not, change it back with "chsh".
This way, sftp is possible but not a complete login.
I'm not sure this method works with any modern distribution of OpenSSH, but it worked for me in many linux distributions and FreeBSD a few years ago.
If it still works, I strongly suggest DirectAdmin to implement it in its interface. Let the admin/reseller choose if the user has complete SSH or sftp-only access with a simple dropdown.
- Emulate SSH+sftp with the mod_sftp module for ProFTPd
There is a complete thread on how to do that in this very forum.
I hope I'm being clear enough. If you have further questions just ask.
And for those still using the term SSL, make sure you call it TLS. That's the name for the latest SSL protocol (v3).
Last edited: