SFTP Module

[kandrews]

Its about time someone made a SFTP module or upgraded the proftpd to run over ssl.

I'm thinking of either writing a new module using SSH subsystem or re-configuring proftpd.

Idea for SSH subsystem:

CentOS Guide:
http://red.zvps.co.uk/projects/zvps-desi...Sub_System

Ubuntu Guide:
http://red.zvps.co.uk/projects/zvps-desi...s_over_SSH

Home directories would be set in /var/zpanel/hostdata/{{username}}/* when creating the unix users. This would also enable ssh keypair auth for sftp users

[Me.B]

allowing SSH for me is a mess. No need but SFTP yes as long we use instead SSL over FTP mainly and don't mess up with SSH.

M B

[jacobg830]

Sounds like a great idea Kev! Personally I find SSH file transfer MUCH faster than FTP on my slow internet connection.

[Me.B]

Jacob I do it all the time but won't offer it any way to customers.

[kandrews]

Me.B if you look at the guides you can see the users are safely jailed. We have this working in a corporate environment with over 100 users. It is the best way i know to setup sftp only users via the ssh subsystem.

Its not a standard ssh user

@Jacob i find the sftp subsystem much more reliable at transferring lots of files over a slow internet connection than proftpd...

Anyway i'm proposing this as either a 3rd party module or a replacement. It will be voted on at some point

[Me.B]

Hmm been thinking... I don't like the idea of allowing SSH...

BUT this work could prepare for suEXEC as we will need to setup a user for each account and set tight permission

[kandrews]

This doesn't allow SSH, the shell would be forced to SFTP meaning they can't run any linux commands

suExec is something i have been slowely working towards however the current state of the app can't cope with it. Version 1.1 or 1.2 i would recommend having a look into it.

[ekultails]

As a follow-up to this, I have actually implemented my own solution to this problem by tackling both suEXEC and SFTP. I've created a project on GitHub called "Sentora Secured" to accomplish helping set this all up. It's still in early development and is something I hope see come to the official project! Be sure to check out my original post on the matter: [ http://forums.sentora.org/showthread.php?tid=902 ].

[mars]

I think the best way is to change ProFTPd configuration to use viartualhost.

There is no reason to create/delete users or jail them in open SSH ports or even add/replace modules causing an administrative overhead, is very simple with the original sentora FTP module just with a few configuration changes.
See this sFTP configuration file taken from the sentora-paranoid security project.

[ekultails]

Yeah I agree that it would have been easy to setup virtual hosts with the default FTP program, but I was looking to tackle a few other security issues. I didn't like the idea of how using FTP will send data across the Internet in plain text. While you could setup up FTP with SSL support (FTPS), disabling FTP entirely and focusing on Linux users with SSH FTP (SFTP) support helped also with setting up suEXEC.

The main goal I am trying to get at here is adding in suEXEC into Apache so users have a safer environment. On a test VPS I have with a fresh Sentora installation, I was able to find and modify different users files with a simple PHP script simply because every file and is owned and executed by the same Apache user by default. The Sentora Secured script helps to add in more individual and secure ownerships that fix this issue. The lack of native suEXEC alone is the primary reason why I don't use Sentora on my production servers and will be sticking with cPanel for the time being. However, I still have great hopes for the future of Sentora!