Let’s make sure we’re all on the same page.
If you are using SFTP is root allowed?
1 Like
where can i find the “Allow login by root?” option
your.domain.com:10000/sshd/edit_users.cgi?xnavigation=1
Webmin > Servers > SSH Server > Authentication
That is the default port for ssh, not FTP. Some FTP clients support FTP over ssh protocol, but not all do, and if your user does not have shell access an FTP client will not be able to login to FTP over ssh on port 22, even if they are allowed FTP access.
FTP is on 20/21, and ProFTPd also provides FTP-over-SSH on port 2222 (which works even if the user has no shell, but is allowed to use FTP).
1 Like
FTP does not, and should not, allow root login.
1 Like
filezilla connected successfully thank you all, i used the port 2222 for the ftp user that i created, for the host i entered the IP
Shouldn’t that be “You should not use FTP”
Even Filezilla and most folk online discourage FTP and recommend SFTP (at least) preferably with key.
My assumption from the start (in all posts) was the use of SFTP (and port 22).
The assumption of recommended Filezilla practice was evidently in error. I’m surprised that wasn’t spotted.
ProFTPd supports TLS, so the primary reason one should not use FTP is removed, as long as you use an FTP client that supports TLS and you make sure you’re always using encryption. I personally haven’t used FTP in at least 20 years, but some people have habits that die hard.
A Virtualmin system enables TLS in ProFTPd from the beginning.
So, to be clear:
- You can use port 22 (OpenSSH) with most modern FTP clients, and it will look like an FTP server to the user (OpenSSH supports the sftp protocol). It has different semantics from the FTP server, however. A user may have FTP access but not have ssh (and thus sftp) access on port 22. A user with no login shell configured cannot connect on port 22, they will be logged out immediately.
- You can use port 2222 (ProFTPd) with most modern FTP clients, and it will look like an FTP server offering sftp protocol (ProFTPd supports the sftp protocol) to the user. This is enabled by default in a Virtualmin system, and allows users with only FTP access (e.g. a user shell of
falseor whatever) to use the sftp protocol. This is setup for a couple of reasons, one is to allow admins to offer a “chroot” type of access without the complexity and risk of chroot shells (Jailshell, which requires the admin know a lot more about Jailshell and chroots and security to use it safely) and also to allow users without a shell to use the more modern sftp protocol. - You can use the regular FTP ports (20/21 served by ProFTPd) with TLS (sometimes called FTPS protocol) with most modern FTP clients, and it will look like an FTP server to the user (because it is), and it will opportunistically use TLS encryption. You can also enforce encryption in most modern clients; i.e. don’t connect if you can’t negotiate an encrypted connection. You should do that. FTP without encryption is not safe to use.
I don’t care what you use, as long as it is encrypted. If you insist on providing users a “chrooted” view of the filesystem, it is easier and potentially safer to do it in ProFTPd than with OpenSSH (because ssh provides a shell! FTP only allows a tightly restricted set of operations). If you don’t understand Jailkit, chroot, and how to safely build a chroot environment, you may be providing a means to escape the jail without realizing it (this is not all that dangerous anymore on modern systems using capabilities, but I’ve recently learned that Debian and Ubuntu packages for Jailkit do not use capabilities, at least didn’t up until the most recent one I checked…which is scary; our jailkit RPMs use capabilities).
1 Like
See my first post. I was trying to nail this down. The OP’s first screen shot seemed to indicate sftp though, hence my question about root being allowed in sftp.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.