What is the best for hosting environment: FTP, FTPS or SFTP?

There are several options to provide users with FTP access to their home directories on shared-hosting environment.

FTP (File Transfer Protocal) is not secure, so not recommended.

FTPS (FTP over implicit/explicit TLS/SSL) is better option, but still kind of problematic for shared hosting environment, especially on a shared IP, since SSL key require dedicated IPs.

So, the best option is SFTP (SSH File Transfer Protocol), but at the same time it has the biggest disadvantage. While it is possible with FTP and FTPS to restrict users from seeing anything out of their home directories, with SFTP it is not. I don’t mind users to see the list of other users under /home, after all shared hosting is shared. However, the problem is that users can see not only /home directory, but list of the directories under / and even browse within some of them. Seems the file permissions prevent the users to delete or do anything wrong with system directories, but anyway it makes me nervous that the users can freely browse the root system directories.

I would really stick with SFTP, since it is the most secure protocol, but the above described issue makes me to use old and insecure FTP protocol. So my questions are:

  1. Is it any way to prevent SSH FTP users from seeing anything out of their own home directories?

  2. If there is no such a way, what is the best FTP practice for Virtualmin Shared Hosting Services?

Thanks!

Would this http://www.cyberciti.biz/faq/restrict-linux-users-to-their-home-directories-only play nicely with Virtualmin?

Howdy,

I might suggest looking into SSH’s “ChrootDirectory” parameter, which can work well with SFTP. I’m not sure that rbash and other restricted shells will work with SFTP.

Note though that just restricting SFTP or FTP doesn’t change the permissions of files and directories across your server… if a file/directory is world readable, there’s other ways to get to it. For example, if a user uploads a web-based directory browser, or uses a web app that has one built in, they can still browse to those same files and directories. There’s some more details on that issue here:

http://www.virtualmin.com/documentation/security/faq

Thanks for the reply. I know that whoever really wants can browse the directories by other means, however I don’t want to encourage ordinary user browsing extra directories.

As for your suggestion about chrooted SFTP, Joe on http://www.virtualmin.com/node/6454#comment-27835 says:

This requires ssh to run in a chroot environment. We don’t recommend it, as it removes several security features from ssh.

I wonder exactly what kind of security features are removed in chrooted environment.

Well, what Joe said used to be true… but now, SSH offers a new parameter named “ChrootDirectory”, which solves the problems that Joe described.

Using ChrootDirectory is a good way to chroot an SFTP user, and is natively supported by the SSH daemon.

-Eric

That’s a relief to me since helps to take a firm decision in which direction to go. I’d appreciate if you could answer couple more questions:

  1. My server is on CentOS 5.6, which is shipped with ssh -v OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

    Some say the feature has been backported and is working fine with current version: http://serverfault.com/questions/96732/rhel-5-4-chrooted-sftp/101069#101069

    Some say that without Match directive the backport is useless: https://wincent.com/wiki/Replacing_the_Red_Hat-supplied_OpenSSH_package_with_a_newer_version_built_from_source and offer to build the latest version of OpenSSH from source.

    Others suggest building from CentALT repository with yum:
    http://linuxadminzone.com/quickly-upgrade-ssh-openssh-in-centos-linux-to-latest-5-5-version

    I wonder what is true, can 4.3p2 really do needed functionality or it really has to be replaced? If latter, then what way is the recommended?

  2. Won't making chrooted home directories contradict with Virtualmin's funcitonality? Can it be integrated to Virtualmin? Will I have to chroot home directory for every new user created manually at command line or is it possible somehow to write some rules in, let's say, templates of Virtualmin to automatize the process?

Well, I don’t have much experience in setting it up, you may need to do some trial and error to see what works for you.

As I read the sshd_config man page on how ChrootDirectory works – the user’s homedir has to be owned by the user “root”, which can be pretty restrictive, and isn’t the default on most servers.

Also, I’ll offer though that, in searching Google for “SSH ChrootDirectory”, it’s difficult to find an example that doesn’t use the Match directive. So many folks certainly find “Match” to be an important component of getting that to work :slight_smile:

Won’t making chrooted home directories contradict with Virtualmin’s funcitonality

Hmm, in what sense? It shouldn’t be contradictory, any more than restricting FTP users to a specific homedir.

Can it be integrated to Virtualmin? Will I have to chroot home directory for every new user created manually at command line or is it possible somehow to write some rules in, let’s say, templates of Virtualmin to automatize the process?

You’ll probably want to poke around Google for some examples of how to use ChrootDirectory, but with the “Match” directive, you should be able to use it for users belonging to a specific group. Or for all users if that’s what you want.

Now, the “root” owned directory may be a problem, but you could always specify a script to run in System Settings -> Virtualmin Config -> “Actions upon server and user creation” that sets the homedir to be owned by root.

I’m again not sure what repercussions will be involved in doing that, you’d need to experiment a bit and see how that works for you.

And then, let us know how all that goes :slight_smile:

-Eric

Thanks Eric, I will experiment with this, maybe later today. BTW, does Virtualmin put virtual servers owners to one users group or not?

Hi,

We use another OSS (SME Server) where they use RSSH to limit SSH access to sFTP and scp usage.

Is there an easy way we can specify the default user shell to be ‘rssh’?

Is this a good idea?

G

Is SFTP encrypted in default?

I mean now that I have a VPS and doing SFTP to it over port 22.

Do I have to configure SSL or other stuff to it or it’s already secure and I can use it like that out of the box?

Thanks…

Yes, SFTP is encrypted. It is basically based on SSH.

I used FTPeS (since I couldn’t control what the user could see using SFTP).

See http://www.virtualmin.com/node/29262