SNI support for FTP

I think this site is a good place to have this conversation. There are a number of users that still use FTP and would like to be able to use FTPS. Would webhosts find it problematic to start pushing users to SFTP?

Any sensible webhost should have their SSH on a non standard port, and closed to the world.

This makes FTPS rather than SFTP essential.

Seperate to this, I am also aware of a number of client web design apps (Serif Pageplus I think is one some of my clients use) that do not support SFTP at all.

SFTP does not work for the add-on FTP accounts. FTPS, in the cPanel ecosystem, is the only secure way to allow someone access to a directory in your account, short of giving them the entire keys to the kingdom. Put another way, the only way to use SFTP is to use the master cPanel username and password, which is not acceptable in some situations. To be clear, FTPS does work as-is, but users are presented with a certificate mismatch warning, causing concern (and support tickets).

See:

https://features.cpanel.net/topic/sftp-access-for-virtual-ftp-users

That's kind of my point. If you're going to invest time into pushing ProFTPd as the default FTP daemon or working with PureFTPd to patch their system, why not just add mod_sftp support to ProFTPd, switch to ProFTPd, and call it a day?

SFTP is just cleaner, at least to me.

With FTP and TLS, are both control and data channels encrypted? It used to be that FTP clients would only encrypt the control channel, not the data channel. Meaning that as you uploaded or downloaded files, it was still a plain, unencrypted transmission. That may not be the case any longer.

SFTP just doesn't deal with control and data channels.

Having said all of that, there's probably still some applications that still require plain ol' FTP, I don't know if there's going to be much of a way around that. Even cPanel's own backup system doesn't support SFTP (it does support SCP, but that's not the same thing as SFTP. SCP requires an actual shell).

I agree with Scott Neader's points.

On the cPanel servers that I've tested, FTPS is encrypting the data channel also ("PROT P" command being issued and accepted).

I thought that you needed SSH access enabled for a user to be able to use SFTP?

If so, very few hosts offer SSH without a premium cost attached.

Some hosts are altogether removing SSH access as an option to users.

Filezilla defaults to try and use FTPS now.

Based on this, I'd say that this is still necessary as FTP over TLS is still the main method of transfer being used.

My understanding is that ProFTPd can, via mod_sftp, host its own SFTP service independently of OpenSSH; thus, shell access via SSH is not strictly necessary for SFTP.

Pure-FTPd doesn’t support SFTP, though, so for cPanel hosts that will continue to prefer Pure-FTPd there would need to be that flexibility in the deployment.

Two other considerations:

• FTPS provides (arguably) stronger authentication than SFTP. SFTP’s authentication only ensures that the client is connecting to the same server as previously, whereas FTPS ensures that the server is, in fact, the intended server by name.
• Tangential: in v72+, cPanel hosts that want to offer shell access to users without exposing SSH can give those users the new Terminal UI.

Doesn't cPanel's own SFTP operate if the user's shell is set to /usr/local/cpanel/bin/noshell ?

But still doesn't solve the Virtual Users problem, which mod_sftp with Proftpd can.

Are MITM attacks with FTP really an issue? I've never really understood the whole MITM thing anyway. How many of you know of clients that stop everything they are doing when they get a certificate mismatch error? Most accept the certificate and carry on. Most people only raise an issue when it happens over and over again, like ever 3 months when a new Let's Encrypt certificate is generated. I'm not saying this isn't an issue and shouldn't be a concern, but until the general public learns not to accept mismatched certificates, then who are we preaching to?

Back on topic... If you want to put SNI support into FTP (PureFTPd or ProFTPd) that's fine, I don't have an issue with doing that. But if you're going to do that, I think you should look into adding mod_sftp into ProFTPd, or just scrapping the whole OpenSSH SFTP and creating an SFTP variant using ProFTPd with mod_sftp.

FTPS is the better solution for clients, they usually don't know how to setup FTP clients, and the default is FTP with TLS in Filezilla for example... so why go against the tide...

And i also agree that opening SSH port public might be a risk.

Pure-FTPD now supports SNI, so I think there is no technical reason anymore to hold back this feature implementation at this time.

https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

As a web host, we have FTP open because many of our customers are used to this method of accessing their site. I prefer to keep SSH disabled for any users except myself as it does introduce a whole additional level of security complexity.

Simply put, SFTP is a great technology, but is generally the domain of more advanced linux users (and admins) and not the average Joe. The average Joe uses something like FileZilla and is at least peripherally aware of how to use FTP. Enabling FTPS and setting both Data and Command Channels to require encryption is the right choice for cPanel as it's FTP is mostly used by average Joes.

That said, we need to get SNI enabled for FTPS ASAP now it is supported upstream.

Because of the malicious traffic to SSH on port 22, many hosts (ourselves included) either disable or use short IP allow-lists.

FTP over TLS is a good compromise from both a practical and security perspective.

I subscribed to the rss feed to get updates, you have the body and the subject mixed up. Very strange output on clients...

Great news, hopefully cPanel will soon update pureftpd to the latest version and implement SNI SSL 🙂