Issue with FTP-like access for migrated domains

I have set up a new Pro server. Virtual servers added to it are set up with SFTP by default. This works.

I just migrated a bunch of domains from an older (but updated and current) Pro server that used FTPS by default. I can access these domains on the new server via plain FTP and FTPS, but I cannot access them via SFTP.

If I try and set up an SFTP jail for a migrated domain, nothing FTP-related works at all. The logs in Filezilla appear to imply that the user name and password are wrong, but I reset the password through Edit Virtual Server -> Configurable settings and this changes nothing. There is no way to change the password at Edit Users.

Simply put, I was delighted when I found that Virtualmin's implementation of SFTP worked properly on the new server, but it's broken on migrated domains, and trying to fix it on a migrated domain completely borks all FTP-like access. I want to figure out how to do it, or do it properly.

Thank-you.

Craig

Status: 
Active

Comments

Howdy -- thanks for contacting us!

For the accounts where you're having trouble logging in via SFTP, what shell are they using?

From Administration Options -> Edit Owner Limits -> Other restrictions, a completely broken domain that I tried to fix has "Email, FTP and SSH" selected from the drop-down, with "Chroot jail domain Unix user?" marked "Yes". /ets/passwd shows /home/chroot/149805397720821/./home/aeszambi:/sbin/jk_chrootsh .

A migrated domain that I have not tried to fix has "Email and FTP", with "Chroot jail domain Unix user?" set to "No". /etc/passwd shows /bin/false.

Is there somewhere else I should be checking this?

Now that I think of it, this is probably tangentially connected to my ticket about features, plans and templates.

When you say "SFTP" do you mean file access over SSH, or the regular FTP protocol in encrypted mode?

I mean the terms as they are defined, as far as I know:

  • SFTP: SSH File Transfer Protocol (so your first option)
  • FTPS: File Transfer Protocol over SSL (your second option)

Am I confused? Or have I confused the issue? I tried to be very precise.

OK, I see now - some users say "SFTP" when really they mean FTPS.

Anyway, as I understand it, for SFTP to work, the user's shell needs to be set to something that allows file access but not running arbitrary shell commands. What gets logged to /var/log/secure when you try a SFTP login and it fails?

Well, I did use both terms in one sentence in the OP, so I don't see how they could have been referring to the same thing. Anyway, moving on.

Here is what you asked for:

Oct  8 03:00:38 nc041 sshd[27830]: Accepted password for aeszambi from 1.2.3.4 port 34697 ssh2
Oct  8 03:00:38 nc041 sshd[27830]: pam_unix(sshd:session): session opened for user aeszambi by (uid=0)
Oct  8 03:00:39 nc041 sshd[27830]: pam_unix(sshd:session): session closed for user aeszambi
Oct  8 03:00:45 nc041 sshd[27836]: Accepted password for aeszambi from 1.2.3.4 port 44077 ssh2
Oct  8 03:00:45 nc041 sshd[27836]: pam_unix(sshd:session): session opened for user aeszambi by (uid=0)
Oct  8 03:00:45 nc041 sshd[27836]: pam_unix(sshd:session): session closed for user aeszambi

1.2.3.4 is my workstation's IP address.

Any response to the information you asked for that I provided?

Only asking to be sure for yourself.

SFTP only username password or with key's. OLD box <> new box

Hi Jfro,

While I appreciate your response, I am directing my support request to the vendor of Virtualmin, not to you. Thanks.

Craig

Jamie,

Is there any additional information you need from me to address this question? I'm confused by the fact that there has been almost two weeks of silence.

I realise that there is no way for Virtualmin to read my mind and know that I would prefer SFTP over FTPS for migrated virtual servers that used FTPS on the old server. However, I don't understand why Virtualmin is breaking all FTP-like access when I use it to try and change the access from FTPS to SFTP for a migrated virtual server, and I especially don't understand why plain FTP (which intentionally did not work on the old server) is now explicitly allowed on the new server to which the virtual server was migrated. In fact, the latter alone would seem to me to be a security bug.

I've currently paused a migration pending resolution of this issue, but I'm going to have to go ahead and complete the migration and hope that you can either tell me how I've used Virtualmin incorrectly, or how Virtualmin expects me to use it to accomplish what seems logical to me.

Thanks.

Craig