Idea: SSH Key + SFTP instead of FTP

Felix · October 2, 2020, 8:26am

Hello everyone. Long time no “see” but sometimes RL can be a bitch

Last night I got an idea that I would like to discuss with you. But let me set the stage first… As far as I understand (feel free to correct me when needed), an SSH key is being created for every user who is assigned the No login SSH Access. This key is used by the file manager, and is bound to accept connections only from 127.0.0.1.

I was thinking that this SSH Key could/should also be used by the user when connecting remotely. Why you ask? Because FTP is not secure by design

Moreover, there could also be a button or something on Hestia Web Interface, for the users to download their SSH key, to use it with FileZilla or WinSCP (Windows users apparently).

Last night I edited a user’s authorized_keys file to remove the from="127.0.0.1" setting. And then I was able to connect remotely and of course jailed to the user’s home directory, and Hestia File Manager had no issues with that. YAY! Though I’m not sure about any security implications… So your input would be highly appreciated.

What do you think?

Raphael · October 2, 2020, 8:43am

The key is for filemanager auth only, but there is already a function, where you can easiely add a own ssh key:

Also sftp allows authentification with user and password for logins, which should be anyway the replacement for ftp/ftps communication. So in my point of view, all is already there where it should be .

eris · October 2, 2020, 9:07am

File manger will get deleted after xx min unless you was one of the beta testers… (Function of deleted after xx min has been added later.)

Option to discuss should we add an option to generate an ssh key. In addition to add a SSH key you.

Don’t know how easy it is on a Windows computer. For Linux / OS X you have an simple command you can run.

Felix · October 2, 2020, 9:36am

Correct! Unless you’re one of those crazy people like me who run all SSH daemons with disabled password authentication In fact that is the second command when building a new server:
sed -ri 's/#?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config
This ofc means that in such cases, the admins (or the users themselves) need to create a separate key, unless the File Manager one could be used instead.

Hm… Interesting point that I wasn’t aware of >.< Thanks!

The whole idea was around a Self-Service solution for users, like “Click here to get your .PPK key to use it with FileZilla”. I’ll do some more research to see if the creation and conversion (to PPK format) of the SFTP Private Key (for remote connections) can be automated and implemented inside v-add-user. If that works out, then maybe a GUI button…

eris · October 4, 2020, 8:18am

It is a bad idea to generate an ssh key on and leaf it on the server for a undefinend time.

If we add a function like this I would suggest add a extra “link” / button where the user can generate the key on demand and offer the private key as download. If possible in different formats

As “id_rsa” key for Linux and OSX
.pem file
And if possible to .ppk