On Linux servers where security is top priority adding software like Fail2Ban & SFTP instead of plain FTP is a must in my honest opinion.
here is a link to MSS forums
SFTP access for virtual FTP users
Open Discussion
As a website owner or webhosting provider, I would like cPanel to include SFTP support for virtual users, rather than only the primary cPanel account's user, to allow me to disable FTP access on my server.
============================
Context, from cPanel:
An SFTP subsystem for virtual ftp users would require quite a bit of work due to the nature of SFTP. We wrap around the SFTP subsystem that comes with OpenSSH and the big drawback to this is that it requires a valid shell in order to work properly.
For situations where encryption is needed, FTPs is a good alternative to use with virtual FTP users as they don't need to have a valid shell and all authentication/transfers occur on an encrypted fashion.
However if SFTP for virtual users is something you'd like to see in our product, vote here.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
My use case is I used a cloud-hosted repository that does deployments for me. So I don't want to give them un-encrypted credentials and I don't want to give them access to my Cpanel login.
So I figured I'd create a sub-FTP (virtual) account and have them use that. But since SFTP won't work for virtual accounts, I have to give them plain FTP credentials which can get sniffed anywhere along the way. Yikes.
I could give them my main account credentials, but then they'd have access to my Cpanel account. Yikes!
SFTP should be standard across all accounts, virtual or not.
My use case is I used a cloud-hosted repository that does deployments for me. So I don't want to give them un-encrypted credentials and I don't want to give them access to my Cpanel login.
So I figured I'd create a sub-FTP (virtual) account and have them use that. But since SFTP won't work for virtual accounts, I have to give them plain FTP credentials which can get sniffed anywhere along the way. Yikes.
I could give them my main account credentials, but then they'd have access to my Cpanel account. Yikes!
SFTP should be standard across all accounts, virtual or not.
A separate user management for ssh,sftp etc in WHM could be a start.
Currently you have to do it from the console e.g.:
http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
A separate user management for ssh,sftp etc in WHM could be a start.
Currently you have to do it from the console e.g.:
http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
I actually just stumbled on this exact issue. I know this is an old idea (3+ years) but gosh if this were possible it would make some of my clients really happy. They're running in to an issue where they have data they want extracted automatically and these types of systems that fetch and process said data love connecting using SFTP. It just dawned on me that has nothing to do with plain old FTP (or FTPS) in cPanel because SFTP is SSH. I actually have never configured SSH for any of my clients. Let alone virtual users.
So definitely +1 in my book for this.
Added bonus - allow SFTP while still preventing users to use SSH. To me that sounds stupid and impossible, but apparently it is - http://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
I actually just stumbled on this exact issue. I know this is an old idea (3+ years) but gosh if this were possible it would make some of my clients really happy. They're running in to an issue where they have data they want extracted automatically and these types of systems that fetch and process said data love connecting using SFTP. It just dawned on me that has nothing to do with plain old FTP (or FTPS) in cPanel because SFTP is SSH. I actually have never configured SSH for any of my clients. Let alone virtual users.
So definitely +1 in my book for this.
Added bonus - allow SFTP while still preventing users to use SSH. To me that sounds stupid and impossible, but apparently it is - http://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
Personally, I think regular FTP should not be an option, or at least, not so easy of an option. I've talked to users on GoDaddy's support forums who were using it, having no idea that it was sending credentials plain-text. A person could secure certain FTP servers a bit, but I personally think cPanel should be pushing users towards SFTP. I like Kyle's idea with giving users an option to enable SFTP but disable SSH access. I did not know this was allowed.
I think cPanel should have more options for configuring SSH in WHM / cPanel. There's no options to change the port number, no options to disable various features. I think there should be a section, much like the Apache configuration section (or at the very least, the Mutli-PHP INI editor), were we can edit the configuration file in WHM / cPanel.
Also, I think when a user account is created in cPanel / WHM, there should be an option to enable or disable SSH / SFTP access for that user (and it should be disabled by default). I feel a person should be able to add an SSH / SFTP user without having to create a cPanel account but should have the option when creating the SFTP / SSH option, to also create a cPanel account. Is this called a virtual user? Where they don't have a cPanel account, but have a system account or vice-versa? Thanks!
Personally, I think regular FTP should not be an option, or at least, not so easy of an option. I've talked to users on GoDaddy's support forums who were using it, having no idea that it was sending credentials plain-text. A person could secure certain FTP servers a bit, but I personally think cPanel should be pushing users towards SFTP. I like Kyle's idea with giving users an option to enable SFTP but disable SSH access. I did not know this was allowed.
I think cPanel should have more options for configuring SSH in WHM / cPanel. There's no options to change the port number, no options to disable various features. I think there should be a section, much like the Apache configuration section (or at the very least, the Mutli-PHP INI editor), were we can edit the configuration file in WHM / cPanel.
Also, I think when a user account is created in cPanel / WHM, there should be an option to enable or disable SSH / SFTP access for that user (and it should be disabled by default). I feel a person should be able to add an SSH / SFTP user without having to create a cPanel account but should have the option when creating the SFTP / SSH option, to also create a cPanel account. Is this called a virtual user? Where they don't have a cPanel account, but have a system account or vice-versa? Thanks!
Would using mod_sftp for ProFTPd work better for something like this?
This would separate SFTP and SSH access completely.
It would require SFTP to run on a different port than SSH, but there's not really a common SFTP port anyway and most people are advised to change their SSH port from the standard port 22.
ProFTPd would allow you use to use AuthUserFile which could be utilized for virtual FTP users.
There may be other FTP daemons that mimic SFTP. ProFTPD is just the only one I'm aware of.
I just thought I'd mention it, thought it might be an avenue to explore.
Would using mod_sftp for ProFTPd work better for something like this?
This would separate SFTP and SSH access completely.
It would require SFTP to run on a different port than SSH, but there's not really a common SFTP port anyway and most people are advised to change their SSH port from the standard port 22.
ProFTPd would allow you use to use AuthUserFile which could be utilized for virtual FTP users.
There may be other FTP daemons that mimic SFTP. ProFTPD is just the only one I'm aware of.
I just thought I'd mention it, thought it might be an avenue to explore.
I have compiled "mod_sftp.so" on another machine, copy it over to cPanel machine into folder "/usr/libexec/proftpd" and add to the configuration :
and it works with current virtual users under cPanel virtual FTP users. So if cPanel starts providing proftpd server with sftp module it should be easy to change from FTP to SFTP or run additional port for SFTP.
I have compiled "mod_sftp.so" on another machine, copy it over to cPanel machine into folder "/usr/libexec/proftpd" and add to the configuration :
and it works with current virtual users under cPanel virtual FTP users. So if cPanel starts providing proftpd server with sftp module it should be easy to change from FTP to SFTP or run additional port for SFTP.
I have just gained a new customer that needs SFTP access to support the United States Postal Service requirements to upload to his site.
I have just gained a new customer that needs SFTP access to support the United States Postal Service requirements to upload to his site.
Would be nice to get this added to support secure FTP connections to additional FTP users.
Would be nice to get this added to support secure FTP connections to additional FTP users.
With cPanel moving to remove FTP this is now required. We still have customers who need FTP so I hope FTP will be kept and SFTP added.
With cPanel moving to remove FTP this is now required. We still have customers who need FTP so I hope FTP will be kept and SFTP added.
With v86 disabling FTP by default for new installations, this becomes more necessary as the current alternative for sub-users to upload files will be limited to only WebDisk.
With v86 disabling FTP by default for new installations, this becomes more necessary as the current alternative for sub-users to upload files will be limited to only WebDisk.
SFTP is harder to secure than FTPS. Disabling FTP by default is a good idea, as it forces the customer to decide to enable it, reducing the attack surface unless they do enable it. If we enable SFTP, you open SSH which is a much bigger can of worms. I would much prefer to see FTPS with SNI added.
SFTP is harder to secure than FTPS. Disabling FTP by default is a good idea, as it forces the customer to decide to enable it, reducing the attack surface unless they do enable it. If we enable SFTP, you open SSH which is a much bigger can of worms. I would much prefer to see FTPS with SNI added.
There's no difference in "harder" for securing. An open port to the Internet is an open port. Any application will take work to secure to "your" satisfaction regardless of what is default or included.
The cPanel server is specifically designed to have these services open to the Internet and available. If you disable some of the cPanel security features to make things easier, you will take away from the security they have already included with these services.
In general, IMO, every server administrator will use SSH to manage the server. Turning that off just is not an option. FTP on the other hand only has one purpose, to transfer files. This can be done many different ways, so FTP service itself really isn't necessary for the function of the server or transferring files.
Making these other, already necessary services available to use for transferring files in the same secure way FTP does with dedicated users is the better way, and just remove the FTP service altogether. That will remove a port exposed to the Internet that can be possibly exploited and make the server a "little" more secure.
There's no difference in "harder" for securing. An open port to the Internet is an open port. Any application will take work to secure to "your" satisfaction regardless of what is default or included.
The cPanel server is specifically designed to have these services open to the Internet and available. If you disable some of the cPanel security features to make things easier, you will take away from the security they have already included with these services.
In general, IMO, every server administrator will use SSH to manage the server. Turning that off just is not an option. FTP on the other hand only has one purpose, to transfer files. This can be done many different ways, so FTP service itself really isn't necessary for the function of the server or transferring files.
Making these other, already necessary services available to use for transferring files in the same secure way FTP does with dedicated users is the better way, and just remove the FTP service altogether. That will remove a port exposed to the Internet that can be possibly exploited and make the server a "little" more secure.
This is absurdly simple to resolve... see my comment from 3 years ago.
SFTP does not have to be linked to OpenSSH.
I suggested ProFTPd with mod_sftp - but Nicola Murino may have a different solution with SFTPGo (I really haven't heard of this product). But the point is... there are other FTP daemons out there that support the SFTP protocol and are in no way, shape, or form attached to OpenSSH... you couldn't get direct shell access from these daemons if you tried.
In my own opinion... that is the solution to this. Abandoned the linkage of SFTP to OpenSSH and install a separate FTP daemon for the sole purpose of providing SFTP access (that can be ProFTPd with mod_sftp, SFTPGo, something else... I don't know). Whatever SFTP daemon you choose for this, block off regular FTP access and enable just SFTP access. And here's the real kicker... you don't have to wait for cPanel to make a pretty link in the WHM to enable this... you can do it on your own. If you have root, you can install anything you want on a server and poke a hole in your firewall to allow access. We've been doing this with ProFTPd and mod_sftp for... well... at least 3 years.
This is absurdly simple to resolve... see my comment from 3 years ago.
SFTP does not have to be linked to OpenSSH.
I suggested ProFTPd with mod_sftp - but Nicola Murino may have a different solution with SFTPGo (I really haven't heard of this product). But the point is... there are other FTP daemons out there that support the SFTP protocol and are in no way, shape, or form attached to OpenSSH... you couldn't get direct shell access from these daemons if you tried.
In my own opinion... that is the solution to this. Abandoned the linkage of SFTP to OpenSSH and install a separate FTP daemon for the sole purpose of providing SFTP access (that can be ProFTPd with mod_sftp, SFTPGo, something else... I don't know). Whatever SFTP daemon you choose for this, block off regular FTP access and enable just SFTP access. And here's the real kicker... you don't have to wait for cPanel to make a pretty link in the WHM to enable this... you can do it on your own. If you have root, you can install anything you want on a server and poke a hole in your firewall to allow access. We've been doing this with ProFTPd and mod_sftp for... well... at least 3 years.
SFTPGo looks very nice, with an API, and possibility to allow password or pub key auth for each user. cPanel would obviously have to audit it internally from a security and a maintainability perspective but it looks very appealing !
Sadly some apps still can't do anything other than FTP so FTP should be kept, not installed by default but still kept so hosts who need it can install it any maybe when it is installed give users the option to choose between the two when they create a new account.
SFTPGo looks very nice, with an API, and possibility to allow password or pub key auth for each user. cPanel would obviously have to audit it internally from a security and a maintainability perspective but it looks very appealing !
Sadly some apps still can't do anything other than FTP so FTP should be kept, not installed by default but still kept so hosts who need it can install it any maybe when it is installed give users the option to choose between the two when they create a new account.
ProFTPD+mod_sftp and SFTPGo basically do the same job.
SFTPGo is a quite new project while ProFTPD is far more mature but SFTPGo has a very different approach:
- It exposes REST API for users management, backup, restore and real time reports of the active connections with possibility of forcibly closing a connection
- it has builtin support for custom actions on file upload, download, delete, rename
- permissions are virtual and not related to filesystem permissions
- upload resume is supported (the last time I tested this in ProFTPD it didn't work)
- it supports serving local filesystem, S3 Compatible Object Storage and Google Cloud Storage over SFTP/SCP
- it is very hackable, you can easily setup your own multi factor authentication, or use your own authentication system
- it expose prometheus metrics
- it works on Windows and MacOS too
- some selected SSH commands are supported, for example Git and rsync
- it supports many other features, you can take a look at the GitHub project page.
ProFTPD can do many of these things too but with a much ugly configuration syntax (this can be opinable)
Regarding security SFTPGo use the Golang SSH stack that is maintained by Google.
Red Hat provides, on RHEL, a Golang stack that is FIPS 140-2 validated.
DISCLAIMER: I'm the author
ProFTPD+mod_sftp and SFTPGo basically do the same job.
SFTPGo is a quite new project while ProFTPD is far more mature but SFTPGo has a very different approach:
- It exposes REST API for users management, backup, restore and real time reports of the active connections with possibility of forcibly closing a connection
- it has builtin support for custom actions on file upload, download, delete, rename
- permissions are virtual and not related to filesystem permissions
- upload resume is supported (the last time I tested this in ProFTPD it didn't work)
- it supports serving local filesystem, S3 Compatible Object Storage and Google Cloud Storage over SFTP/SCP
- it is very hackable, you can easily setup your own multi factor authentication, or use your own authentication system
- it expose prometheus metrics
- it works on Windows and MacOS too
- some selected SSH commands are supported, for example Git and rsync
- it supports many other features, you can take a look at the GitHub project page.
ProFTPD can do many of these things too but with a much ugly configuration syntax (this can be opinable)
Regarding security SFTPGo use the Golang SSH stack that is maintained by Google.
Red Hat provides, on RHEL, a Golang stack that is FIPS 140-2 validated.
DISCLAIMER: I'm the author
It would be nice to have this feature out the box, especially since plain FTP is now disabled by default for new installations (https://cpanel.net/up-next/ftp-disabled-by-default/)
It is also handy using the virtual users so things like GDPR can be considered with data being made available/restricted by given path for the selected users, rather than having to faff about with the terminal which can be rather overwhelming/huge learning curve to some end-users
It would be super if this can be in place for v88 (though should have been there for v86 IMO)
It would be nice to have this feature out the box, especially since plain FTP is now disabled by default for new installations (https://cpanel.net/up-next/ftp-disabled-by-default/)
It is also handy using the virtual users so things like GDPR can be considered with data being made available/restricted by given path for the selected users, rather than having to faff about with the terminal which can be rather overwhelming/huge learning curve to some end-users
It would be super if this can be in place for v88 (though should have been there for v86 IMO)
It looks like cPanel added mod_sftp at some point to the proftpd installation because I have it in 1.3.6.c.
Here is the relevant part of "proftpd -V"
Here is what I added to enable SFTP in /etc/proftpd.conf
However, this did not work because mod_tls took over the connections and I got "authentication request for user 'user@example.com' blocked by 'USER' handler" and "disconnecting <IP> (Protocol error)".To get it to work I commented out the entire <IfModule mod_tls.c> section. After that SFTP worked with FTP virtual users. Beware, this will disable FTPS!"
It looks like cPanel added mod_sftp at some point to the proftpd installation because I have it in 1.3.6.c.
Here is the relevant part of "proftpd -V"
Here is what I added to enable SFTP in /etc/proftpd.conf
However, this did not work because mod_tls took over the connections and I got "authentication request for user 'user@example.com' blocked by 'USER' handler" and "disconnecting <IP> (Protocol error)".To get it to work I commented out the entire <IfModule mod_tls.c> section. After that SFTP worked with FTP virtual users. Beware, this will disable FTPS!"
Fast forward to 2020. So glad I found this post and Nicola's suggestion as I had been looking for a solution to add SFTP support to cPanel accounts that are not root users for some time. Seems strange that cPanel still doesn't support this as standard, but to be honest there is a very good alternative.
I run a service that allows dozens of data feed providers to upload data to my site through their own dedicated FTP folder and although FTP works most of the time, I had come across times were some users wanted to use SFTP instead as that was either all they could use or Passive/Active FTP just wasn't reliable enough.
Anyway...
My solution was to use SFTPGO. The default install has FTP turned off so you can easily run this side by side with the regular FTP cPanel provides including existing folders users are uploading to. Furthermore the API is pretty easy to use with basic HTTP authentication so I was able to add this into my existing workflow that already generates FTP accounts using Curl and the cPanel API. Now both FTP and SFTP support is created at the same time with the same credentials, just different protocol and port numbers.
SFTPGO is really cool and comes with better features for folder permissions and filtering than cPanel does, It seems well maintained on GIT and has good documentation. I highly recommend trying it out.
Fast forward to 2020. So glad I found this post and Nicola's suggestion as I had been looking for a solution to add SFTP support to cPanel accounts that are not root users for some time. Seems strange that cPanel still doesn't support this as standard, but to be honest there is a very good alternative.
I run a service that allows dozens of data feed providers to upload data to my site through their own dedicated FTP folder and although FTP works most of the time, I had come across times were some users wanted to use SFTP instead as that was either all they could use or Passive/Active FTP just wasn't reliable enough.
Anyway...
My solution was to use SFTPGO. The default install has FTP turned off so you can easily run this side by side with the regular FTP cPanel provides including existing folders users are uploading to. Furthermore the API is pretty easy to use with basic HTTP authentication so I was able to add this into my existing workflow that already generates FTP accounts using Curl and the cPanel API. Now both FTP and SFTP support is created at the same time with the same credentials, just different protocol and port numbers.
SFTPGO is really cool and comes with better features for folder permissions and filtering than cPanel does, It seems well maintained on GIT and has good documentation. I highly recommend trying it out.
I hope cPanel allows to create SFTP users before removing the ability to create FTP users. If cPanel removes the ability to create FTP users without adding the ability to create SFTP users we will have to move to another panel in order to not loose alot of our customers.
I hope cPanel allows to create SFTP users before removing the ability to create FTP users. If cPanel removes the ability to create FTP users without adding the ability to create SFTP users we will have to move to another panel in order to not loose alot of our customers.
Replies have been locked on this page!