FTP admin user?

Hello, I want to setup each of my clients FTP sites into my Filezilla so that when they call I have immediate access. Obviously I need an overruling account that can access all FTP accounts on my server - any way to do this?

You’d need FTP as root to do that. But I very strongly recommend against that!

Rather use SFTP (file transfer via SSH), to your port 22, as root. And only allow public key authentication for root, not via password. You can use e.g. the tool “WinSCP” when you’re using Windows, or a Linux equivalent of which there certainly are plenty.

Is there any other way that it can be done? Can you access each site through root?

root has full access to everything, yes. But again, really, you should NOT do FTP as root! SFTP is just as comfortable and much more secure! And doesn’t require weird port setups to work behind routers.

At the very least, you should use FTPS (FTP over SSL)! FTP transmits everything unencrypted. You do NOT want to have your root password transmitted over the net unencrypted! You should not allow any root logins with password at all really, only with public key files. And FTPS is even more complex to set up than FTP or SFTP.

Jeremy, in case you’re having doubts, let me chime in…

LOCUTUS IS RIGHT !!!

  1. do NOT use a root login/password with FTP… they will be passed in plain text across the internet

  2. use SFTP protocol (/etc/ssh/sshd_config is probably already configured to allow it)

  3. you should have root in your /etc/ftpusers so no one can FTP in as root

  4. I would also add “PermitRootLogin no” to the /etc/ssh/sshd_config once you have your “AllowUsers jeremy” working

  5. and WINSCP is awesome… you can have all your clients listed, just scroll to one, click, and you’ll see a familiar “ftp window”, and will be secure using SFTP

And… to be even MORE secure… you could enable the “AuthorizedKeysFile” entry in sshd_config, and then set “PasswordAuthentication no” once you have created key pairs and have copied the public key to the ~/.ssh location.

Thanks for all your help, sounds like SFTP is the way to go. Could anyone guide me on setting it all up?

Locutus: “only with public key files.” - I would be greatly appreciative if someone could show me to how to set this up.

Generic version: You generate a public/private key pair with the SSH software of your choice (puttygen on Windows e.g.), put the public key in the file ~/.ssh/authorized_keys, and use the private key in your SSH tool when connecting.

Details greatly depend on what distro and SSH software you’re using.

For Debian, I did this:

—snip—
HOW TO DISABLE SSH USERNAME PASSWORD LOGINS AND USER PUBLIC PRIVATE KEY PAIRS

Warning: Move slowly on this, test it on a local server first, you could lock yourself out of your remote server.

  1. read about key pairs online:
  1. create the public private key pair using OPENSSH

from the command prompt
cd /d “C:\Program Files (x86)\OpenSSH\bin”
ssh-keygen.exe -b 4096 -t rsa -f id_rsa

  1. backup the keys
  • copy the keys (id_rsa and id_rsa.pub) to a backup drive, thumb drive, have copies
  1. upload the public key (id_rsa.pub) to your Debian server
  • copy the contents of id_rsa.pub to the /root/.ssh/authorized_keys file
    chmod 600 /root/.ssh/authorized_keys
  1. configure your Debian server for BOTH keys and passwords at first

cd /etc/ssh
cp sshd_config sshd_config_orig
vim sshd_config

  • change the following entries

PermitRootLogin yes
AllowUsers root jeremy
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication yes

  • and restart the ssh daemon

service ssh reload

  1. use your Windows SSH Client to connect
  • import the private key (id_rsa) into your Windows SSH Client
  • if you’re using Putty, you might need to use PuttyGen.exe to create a PUTTY private key (id_rsa.ppk) from the RSA private key
  • I use SecureCRT, and it converted it automatically
  • configure the root connect to use the keys, and not passwords
  • test the root connect
  1. if you’re able to connect with the keys
  • then go back to the sshd_config and change

PasswordAuthentication no

  • and restart the ssh daemon

service ssh reload

  1. cross fingers and connect again

Can’t thank you enough for your help. What can you suggest for generating the keys on a mac?
Also if it’s any help, CentOS 6.4.

There seems to be a Mac version of Putty, which would be recommended. At least I hope the Mac port also contains Puttygen, which is the GUI-based keyfile management tool included with Putty.

Setting up SSH on CentOS should be fairly similar, if not the same, as jimdunn outlined, provided it uses OpenSSH like Debian (which I suppose it does).

It’s most important to change PasswordAuthentication to No in your OpenSSH config only when keyfile authentication works okay, otherwise you’d lock yourself out of SSH.