Enable sftp for zPanel

Click here to get the best cheap VPS.

We have talked about enabling ssl for zPanel. However, when you login zPanel, you will see there is not a file manager which can be used to upload/download files online like in cPanel.  zPanel does allow you to add ftp accounts in its control panel. The ftp server accompanied with zpanel is proftpd. Unfortunately, the default configuration of zpanel for proftpd does not enable sftp, which means the ftp protocol is just the ordinary ftp running on port 21. Without sftp, all bytes including the ftp account/password you transfer to your vps are not encrypted and tend to leak out,which makes our previous enabling ssl efforts  go down to the drain. We should configure proftpd to use sftp before setting up a website.
The default configuration file of proftpd is /etc/proftpd.conf, which is modified by zpanel to include zpanel’s configuration file for proftpd: /etc/zpanel/configs/proftpd/proftpd-mysql.conf. You can refer to this good tutorial to add the following section in proftpd-mysql.conf to enable sftp:

 

SFTPEngine on
Port 2222
SFTPLog /var/log/proftpd/sftp.log

# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

SFTPAuthMethods publickey #not necessary

SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u #not necessary

# Enable compression
SFTPCompression delayed

 

If you are not familiar with ssh and sftp protocols, you may be confused by the parameters: SFTPHostKey, SFTPAuthMethods, SFTPAuthorizedUserKeys. What are their meanings and what is the difference between SFTPHostKey and SFTPAuthorizedUserKeys. Well let me explain to you.

With sftp, you do not need to pass your password in plain text on the internet to login the server. The server sends you the public key contained in the file specified by SFTPHostKey, then you encrypt your password with the public key and send it back to the server. Then the server decrypts the password and compares it with the password stored at the server side to see if the password provided by the client is correct. If the authentication is successful, the user is allowed to manage the files on the server.

Another authentication method publickey(as specified by SFTPAuthMethods) makes things even easier. Now you need not type your password to login the server. Every user generates a public key-private key pair using the command ssh-keygen. The public key will be stored at the server side as /etc/proftpd /authorized_keys/%u(%u is the user login name). The private key is kept secret by the user on his local machine. When accessing the server, the server sends a random string to the user, which is encrypted by the user with his private key and sent back to the server. Then the server decrypts the encrypted string to see if it is the same as the original string and the authentication is accomplished. If you do not want to bother generating keys, you can comment the SFTPAuthMethods and SFTPAuthorizedUserKeys to login with password.

Now restart proftpd(service proftpd restart), you will be able to connect to the server via a sftp client such as sftp.

Note that the original tutorial talks about disabling stfp access on the ssh port,but it seems not necessary. If you use the ftp account to login through ssh port(usually 22) using a ssh terminal such as putty, it will say “Access denied”. If you login through the ftp port specified in the proftpd configuration file, it will say “server refused to allocate pty”. In neither way can you login the server successfully.

Posted in tips of hosting

Leave a Reply