Hello everyone. Long time no “see” but sometimes RL can be a bitch
Last night I got an idea that I would like to discuss with you. But let me set the stage first… As far as I understand (feel free to correct me when needed), an SSH key is being created for every user who is assigned the No login SSH Access. This key is used by the file manager, and is bound to accept connections only from 127.0.0.1.
I was thinking that this SSH Key could/should also be used by the user when connecting remotely. Why you ask? Because FTP is not secure by design
Moreover, there could also be a button or something on Hestia Web Interface, for the users to download their SSH key, to use it with FileZilla or WinSCP (Windows users apparently).
Last night I edited a user’s authorized_keys file to remove the from="127.0.0.1" setting. And then I was able to connect remotely and of course jailed to the user’s home directory, and Hestia File Manager had no issues with that. YAY! Though I’m not sure about any security implications… So your input would be highly appreciated.
Also sftp allows authentification with user and password for logins, which should be anyway the replacement for ftp/ftps communication. So in my point of view, all is already there where it should be .
Correct! Unless you’re one of those crazy people like me who run all SSH daemons with disabled password authentication In fact that is the second command when building a new server: sed -ri 's/#?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config
This ofc means that in such cases, the admins (or the users themselves) need to create a separate key, unless the File Manager one could be used instead.
Hm… Interesting point that I wasn’t aware of >.< Thanks!
The whole idea was around a Self-Service solution for users, like “Click here to get your .PPK key to use it with FileZilla”. I’ll do some more research to see if the creation and conversion (to PPK format) of the SFTP Private Key (for remote connections) can be automated and implemented inside v-add-user. If that works out, then maybe a GUI button…
It is a bad idea to generate an ssh key on and leaf it on the server for a undefinend time.
If we add a function like this I would suggest add a extra “link” / button where the user can generate the key on demand and offer the private key as download. If possible in different formats