SSH users can login via FTP by default

Discussion in 'ISPConfig 3 Priority Support' started by ronee, Oct 21, 2017.

  1. ronee

    ronee Member HowtoForge Supporter

    Running ispconfig 3.1.6 on Debian Jessie
    Just noticed that by default an SSH user can log in via plain FTP with the same credentials even with no ftp users defined.

    Is this by design? This is unexpected and undesirable from our standpoint. We can of course disable ftp entirely but it would be useful to know if there's another way to prevent SSH users from using FTP (and sending their credentials in cleartext).

  2. elmacus

    elmacus Active Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look into the directory /etc/pure-ftpd/auth/, there you should find 3 auth files, the mysql one is for ISPConfig FTP users, check the one for unix and pam and if one of these contains 'yes', try to set it to 'no' and restart pure ftpd.

Share This Page