HOW-TO: SFTP support in ProFTPD

[rootbsd]

Updated Dec 2, 2010

We all know plain FTP is insecure and its surprising how much it is still in use today.

DA comes with support for ProFTPD mod_tls however there are several problems with mod_tls. 1) It only encrypts the control channel of FTP, leaving the actual data transferred still in clear text. 2) That also causes problems with FTP traversal of firewalls since the firewall can't see which ports are going to be needed, although that can be worked around with PassivePorts configuration in ProFTPD. 3) FTP/TLS support is also less common in FTP clients.

I'm sure some here have been using SFTP with DirectAdmin however that is done over the system's SSH daemon. The problems with this are 1) users must be given ssh access to use SFTP. 2) You can't restrict SSH access to certain IPs if you have customers needing to use SFTP. 3) It only lets DirectAdmin Users login, if a user creates a child FTP account, it will not work for SFTP.



SFTP hasn't been supported by many common FTP servers such as ProFTPD, until TJ Saunders wrote a mod_sftp for ProFTPD. I've set it up for several people recently and it works really well. It addresses all of the above problems.

The only drawback to this implementation is that all users on the system will need to switch to SFTP. I might try to come up with a setup for running both SFTP and insecure-FTP later if there is demand.


Step 1. Change your ssh port (optional)

I recommend changing your ssh port if you haven't done so already. This is done by changing the Port line in /etc/ssh/sshd_config and restarting sshd. Make sure you know what you are doing before attempting this, since you could lock yourself out of the server.

Step 2. Compile new ProFTPD with mod_sftp instead of mod_tls

Assuming your system has custombuild already installed. If you don't have custombuild, go here to install it.

Code:

cd /usr/local/directadmin/custombuild
./build update
perl -pi -e 's/proftpd=no/proftpd=yes/g' options.conf
mkdir -p custom/proftpd
cp configure/proftpd/configure.proftpd custom/proftpd/configure.proftpd
perl -pi -e 's/mod_tls/mod_sftp/g' custom/proftpd/configure.proftpd
./build proftpd

Step 3. Make sure new ProFTPD is working

Restart proftpd, Linux:

Code:

 service proftpd restart

FreeBSD:

Code:

 /usr/local/etc/rc.d/proftpd restart

Make sure you can still connect to your FTP server. You should see version 1.3.3e:

Code:

# ftp myserver.com
Connected to myserver.com (208.86.x.x).
220 ProFTPD 1.3.3e Server ready.
Name (myserver.com):

Step 4a. Change Port in ProFTPD

Open /etc/proftpd.conf in an editor and change the Port to what you want SFTP to use. To make it easy on your users you could use Port 22 since it would be the default in SFTP clients. You could also pick something random such as 3822.

Code:

Port                                 22

Step 4b. Enable SFTP in main proftpd.conf

Add the following lines to your /etc/proftpd.conf file, somewhere near the top of the file so its easy to find:

Code:

##
## SFTP Config
SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch "WS_FTP" channelWindowSize 1GB
# enable for sftp debugging:
#TraceLog /var/log/proftpd/sftp-trace.log
#Trace scp:20 sftp:20 ssh2:20
## End SFTP Config
##

COMMENT OUT the 'bytes' log in /etc/proftpd.conf as well:

Code:

#ExtendedLog            /var/log/proftpd/1.2.3.4.bytes WRITE,READ userlog

Step 4c. Enable SFTP in IP-based FTP vhosts

Add the following lines into EACH VirtualHost container in /etc/proftpd.vhosts.conf:

Code:

SFTPEngine      On
Port            22
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

The Port should match what you used in Step 4a. Make sure you put these 4 new lines before EACH </VirtualHost> in that file.

ALSO COMMENT OUT the bytes log in each VirtualHost entry

Step 4d. Enable SFTP config in FTP vhost template


Open up /usr/local/directadmin/data/templates/custom/proftpd.vhosts.conf in an editor. This should be a new file that you don't currently have, paste in:

Code:

<VirtualHost |ip|>
        ServerName              "|ServerName|"
        AuthUserFile            |AuthUserFile|

        SFTPEngine      On
        Port            22

        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

</VirtualHost>

Again, the Port should match what you used in Step 4a

Step 5. Restart ProFTPD

Restart proftpd, Linux:

Code:

 service proftpd restart

FreeBSD:

Code:

 /usr/local/etc/rc.d/proftpd restart

Step 6. Test it out

Test it out! If you telnet to the new port you should see a greeting like this:

Code:

# telnet myserver.com 22
Trying 208.86.x.x...
Connected to myserver.com.
Escape character is '^]'.
SS´['Å0-mod_sftp/0.9.7
Lß    ç_ªC.ÃÇdiffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14- ...

That is normal. Now use an SFTP client like FileZilla and try it out. You should use the exact same usernames and passwords as you did previously for FTP.


Comments, questions?

[tillo]

I was about to correct you on writing the correct name for a FTP over SSL/TLS channel, which is FTPS and not SFTP, then I actualy read your post and you are right, this is an SFTP (as in SecureSHell FTP) emulation performed by an FTP daemon. This is not FTPS (also known as S/FTP or Secure FTP), which is the mod_tls you were talking about.

I didn't know about mod_sftp, thank you for sharing this information.
I won't use it though, because SFTP is much more limited than FTP/FTPS: to list a few differences, files are delivered through the command channel, which limits one transfer or command at a time and also make FXP (remote to remote transfer) impossible; only binary transfers are possible AFAIK, no fast ASCII; SFTP with OpenSSH is very slow, even when used with blowfish chiper, don't know about ProFTPd/mod_sftp though -- is it fast enough?

It is true that FTPS doesn't crypt the transfer channel, and that the ip_conntrack_ftp netfilter module for linux can't track the transfer channel port and eventually open it if closed... I surely hope that the SFTP protocol will evolve in something better in the future, so I can use it. FTP is a very old and insecure protocol.

[rootbsd]

files are delivered through the command channel, which limits one transfer or command at a time and also make FXP (remote to remote transfer) impossible;

True but on standard web hosting servers I don't think you will find people actually using FXP. Also you can transfer multiple files at a time, it just requires multiple logins. FileZilla client supports this - for example I just tested it with 8 simultaneous uploads.

SFTP with OpenSSH is very slow, even when used with blowfish chiper, don't know about ProFTPd/mod_sftp though -- is it fast enough?

Well I guess it depends on what you consider "very slow". I'm able to saturate 100Mbit/s line using scp to copy to ProFTPD/mod_sftp (12.5MBytes/sec). On most shared web hosting servers, I don't think you will find users expecting to upload faster than 100Mbit/s.

only binary transfers are possible AFAIK, no fast ASCII

I'm not sure what you mean, it seems to go plenty fast enough for me.

I surely hope that the SFTP protocol will evolve in something better in the future, so I can use it. FTP is a very old and insecure protocol.

I kind of doubt SFTP will evolve much, I think it works great for most users.

[scsi]

mod_tls is better and easier.

[tillo]

True but on standard web hosting servers I don't think you will find people actually using FXP.

Also true, but I do.

Also you can transfer multiple files at a time, it just requires multiple logins. FileZilla client supports this - for example I just tested it with 8 simultaneous uploads.

Also true, but what if someone wants to limit concurrent logins (I don't).

Well I guess it depends on what you consider "very slow". I'm able to saturate 100Mbit/s line using scp to copy to ProFTPD/mod_sftp (12.5MBytes/sec). On most shared web hosting servers, I don't think you will find users expecting to upload faster than 100Mbit/s.

This is very good to know, I've never been able to do that with OpenSSH on machines with limited resources. I usually have a loss of 60-80% on speed from FTPS to SFTP (because transfers on SFTP are crypted and on FTPS are not, of course).

I'm not sure what you mean, it seems to go plenty fast enough for me.

That's not what I meant, ASCII transfer is a method FTP uses to transfer text (and scripts) files automatically converting return lines (and sometimes metadata, like charset values) from Windows (CRLF) or Macintosh (CR) to UNIX (LF). It often saves time wasted looking for a reason for a conf or script to not work

I kind of doubt SFTP will evolve much, I think it works great for most users.

Well, I may think about using mod_sftp if it really is so fast, and also if my usual clients (lftp for linux and FlashFXP for Windows) are fully compatible with SFTP. And for FXP I'll just go back to FTPS one doesn't exclude the other...

I'll use your guide soon enough and comment it if I find any missing part or error. Thank you again!

mod_tls is better and easier.

Easier? Sure! Better? Absolutely not. It's not secure at all, which is worst than ever because people think it's secure. The only things that are secured are file names (but not directory listings) and transfer ports (which are easely retrieved in a MITM attack).

[franc23]

After following steps above, both my ssh server and ftp are no longer working.

FTP was working on port 21, ssh on port 22, now i changed ssh to port 23 and set firewall rules to match. Followed steps above for ftp to port 22 and it stopped working.

Neither does port 21 work. Is there something I am missing here. Also, when trying to configure with sftp, the SFTPEngine directive came back as unknown directive, so didn't put that in the proftpd.conf file. FTP fails before that step itself.

Please help

[rootbsd]

FTP was working on port 21, ssh on port 22, now i changed ssh to port 23 and set firewall rules to match.

Is sshd running? Can you connect to it locally (i.e. telnet localhost 23)?

Not sure what else to say, you just need to troubleshoot it

Neither does port 21 work. Is there something I am missing here. Also, when trying to configure with sftp, the SFTPEngine directive came back as unknown directive, so didn't put that in the proftpd.conf file. FTP fails before that step itself.

I think you need to re-read my original post. Did you recompile proftpd? Did you read the part about this method not supporting insecure FTP?

[shanti]

i like it :-) it there theoretically a way for FTP and SFTP to coexist ? so depending on the protocol ftp/ftp is chosen `?

best regards
-c-

[tillo]

I guess that if it were a way the author of mod_sftp would have done it... the SSH protocol is quite different from FTP, since the very beginning of the transaction.
From what I can guess, the FTP server must send a 220 code, while SSH must send the distribution version. Those two are just incompatible.

[jdlitson]

Hi,
I have followed your tutorial using a CentOS 5 test VPS; I am also getting the following error when restarting proftpd:

Starting proftpd: - Fatal: unknown configuration directive 'SFTPEngine' on line 12 of '/etc/proftpd.conf'

When you say:
"Note: change prefix to /usr if this is Linux instead of FreeBSD."

Does this mean change this:
--prefix=/usr/local --sysconfdir=/etc \

By this?:
--/usr=/usr/local --sysconfdir=/etc \

Thanks for your time and help,
Jason

[nimafire]

can any one support this how-to?

is it really work ?

[rootbsd]

When you say:
"Note: change prefix to /usr if this is Linux instead of FreeBSD."

Does this mean change this:
--prefix=/usr/local --sysconfdir=/etc \

By this?:
--/usr=/usr/local --sysconfdir=/etc \

No, use --prefix=/usr - or check where your existing proftpd is, is it /usr/sbin/proftpd or /usr/local/sbin/proftpd. The point of recompiling a new proftpd is to replace the old one.

[jdlitson]

Hi rootbsd,
Thanks for the clarification.
For CentOS 5 the path is: /usr/sbin/proftpd
I will recompile with the new path and post my results.

Thanks for your help.
Jason

[jdlitson]

Hi,
I had to use the path "--prefix=/usr" just as you noted in your instructions.
Working perfect now.

Thanks for your great how to.
Kind regards,
Jason

[jdlitson]

Hi,
When adding new users in DA; I find that I have to restart proftpd manually otherwise none of the users are able to use ftp. Does anyone else have this issue? I did a fresh reinstall and got the same results.

Thanks -Jason

[rootbsd]

Hi,
When adding new users in DA; I find that I have to restart proftpd manually otherwise none of the users are able to use ftp. Does anyone else have this issue? I did a fresh reinstall and got the same results.

Thanks -Jason

Actually I've seen this problem -- there is a bug somewhere that causes proftpd sshd to stop working after SIGUP. sent you a PM.

[cravistaz]

Very informative write up. Simple and straight forward. Thanks for sharing and more power!

[nobaloney]

The problem I see with implementing it is that it breaks regular FTP, which most clients, old and new, will expect to work.

Jeff

[tillo]

Uhm, what about running two separare ProFTPD, one with the normal config and one with the new port, SFTPEngine etc?

[nobaloney]

That might work. I write might because it would depend if either of them shares the control port or the dataport, in addition to the new port.

And I don't have time now to test. Do you ?

Jeff