I wrote another thread that touched on this topic, but I feel the need to bring it up again.
The way Virtualmin handles administrators seems to me to have a serious security problem. There is a single username/password that is used to:
administer a domain via Virtualmin
login via an ssh shell
administer the domain’s website and such via ftp
In the first two, the login is encrypted. However, in the third, it is by definition transmitted in the clear. This really bugs me. Its insecure to have a login that can be transmitted in the clear also be the login that has total control over the domain.
I don’t see any way to untie ftp access and admin logins. Adding an ftp user assumes only sub-folder access, not access to the full website. As far as I can tell, the main ftp user has to have admin access as well.
Am I totally wrong about all of this? Curious what people think. Its the one thing that is really bothering me as I’m migrating a box to Virtualmin.
At least you can access thru FTP or DAV. I cant even get that.
But I do agree with you. Also the security doesnt seem to work as needed. It says I can make a user, a sub admin as it were. And this user should be able to edit webpages thru webmin.
Sorry, just going to bump this one last time. Joe or Jamie, do you guys not think this is an issue? It seems pretty scary that the master password for a domain has to be passed in the clear to allow ftp access.
Is there a workaround for this? Perhaps a different password system for ftp access? Should I just force my users to use secure ftp of some sort?
ProFTPd supports TLS/SSL encryption. Turn it on, and enforce it. All modern FTP clients support FTP over SSL. We don’t enable it, by default, as you’ll want to have an SSL certificate (self-signed will work, but you lose half of the purpose of SSL/TLS).
You could disable FTP altogether. SSH is a more modern protocol, and many FTP clients, as well as clients designed specifically for SSH (like WinSCP), support FTP over SSH (sometimes called "FISH"). This is my recommendation, but many folks have a hard time giving up FTP.
As for this bit:
Adding an ftp user assumes only sub-folder access, not access to the full website. As far as I can tell, the main ftp user has to have admin access as well.
You’re creating a mailbox/FTP user. That’s not intended for any administrative work at all.
If you want a special FTP account just for web content management, use the “Add a website FTP access user.” link. That’s what it’s for. The other “Add a user to this server.” link is for creating mail users (who might happen to be able to use FTP to put stuff into their home directory–but should not be used for website administration purposes).
Enabling TLS/SSL in ProFTPD is a potential solution for some situations, but not all:
I have clients that need to use older non-TLS/SSL FTP software for whatever reason, and I would prefer to meet their needs in a secure way rather than force them to do things in a new way.
Also, due to the way ProFTPD handles TLS/SSL, you can’t securely have unencrypted anonymous FTP access and encrypted access for everyone else. For clients that require anonymous FTP, this is an issue.
I am using Virtualmin 3.48GPL and I don’t see any “Add a website FTP access user” link. I only have “Add a user to this server” and within that the option to enable FTP.
What would be ideal, in my opinion, would be to be able to configure Virtualmin to disable administrator FTP access (and have that be the default) and then be able to set up an isolated FTP user with access to the root public_html directory (and only that directory). Because it is a security risk, FTP access should never be enabled by default (or it should at least be configurable that way).
Is there any chance of this feature making it into Virtualmin GPL? I believe that would make it possible to alleviate this security issue, by adding all admin users to a group that is denied access in ProFTPD, and then adding ftp-only users on an as-needed basis.
Otherwise the only real solution I see is disabling FTP access.
I installed version 3.50 gpl on my fresh debain system today. Sorry but without this feature the virtualmin is useless. I have to reinstall my rooty…mhhhhh
I tried the above code, and while it does indeed enable the option, I can’t get it to work. The resulting form that comes up to create an ftp user has no submit, and seems generally buggy.
