HOW-TO: SFTP support in ProFTPD

[tillo]

Nope but I'll probably test it out some time this year, if I finally happen to have some free time

 

[Mopquill]

I know it's been a few months since anyone posted in this thread, but, I just followed this tutorial, and it worked perfectly. It was excellent. I just wanted to thank the original poster for taking the time out to write this. =]

 

[jdlitson]

Hi Mopquill,
What OS did you configure it in, and is your OS 32 bit or 64 bit?

Thanks,
Jason

 

[Mopquill]

Hi Mopquill,
What OS did you configure it in, and is your OS 32 bit or 64 bit?

Thanks,
Jason

CentOS 5.3, 32-bit.

Output of uname -a:

Linux sub.example.com [omitted] Fri Aug 21 03:42:35 MSD 2009 i686 i686 i386 GNU/Linux

Although, I will note, when adding a new user, I have to reload proftpd before that user can access anything, but, the others users work fine. That is no big deal though, as I can just change the script that adds FTP users so that it reloads proftpd after adding the user.

 

[Mopquill]

Do not use this modification.

As it turns out, I also start getting my password denied after around 24-48 hours, and I have to restart proftpd.

On top of this, my users are repeatedly being suspended for bandwidth over-usage, and it would seem it is being caused by ProFTPporting bandwidth usage incorrectly because of this modification. I've contacted DA Support, and this is generally what we came up with. Although, I've also asked them what I should do in order to get SFTP/FTP over SSL working (in order to not have passwords transmitted in plain-text) with ProFTP, so I will share my solution once one is provided.

So, again, don't do this.

 

[angelf9]

I was researching how to mod_sftp in DA and I discovered it is now included with proftpd source code (see here: http://www.castaglia.org/proftpd/#Modules).
So, if you're using custombuild, Step 2 should be changed to something like:

cp /usr/local/directadmin/custombuild/configure/proftpd/configure.proftpd /usr/local/directadmin/custombuild/custom/proftpd/configure.proftpd

Edit /usr/local/directadmin/custombuild/custom/proftpd/configure.proftpd and change mod_tls to mod_sftp.

cd /usr/local/directadmin/custombuild/
./build clean
./build update
./build proftd

Also, has enyone else experienced the same problems Mopquill has with mod_sftp?
_

 

[rootbsd]

As it turns out, I also start getting my password denied after around 24-48 hours, and I have to restart proftpd.

On top of this, my users are repeatedly being suspended for bandwidth over-usage

Thanks for mentioning. I had fixed these issues on our servers but forgot to update this HOWTO. I just went and edited the original instructions I posted. Of course YMMV, use at your own risk.

The say SFTP works and the way ProFTPD logs it, is basically impossible to do bandwidth tracking. So I have just disabled FTP bandwidth logging.

 

[rootbsd]

I was researching how to mod_sftp in DA and I discovered it is now included with proftpd source code

Cool next time I do a new SFTP setup I'll try it out and update the instructions.

 

[Spark]

I was researching how to mod_sftp in DA and I discovered it is now included with proftpd source code (see here: http://www.castaglia.org/proftpd/#Modules).
So, if you're using custombuild, Step 2 should be changed to something like:

cp /usr/local/directadmin/custombuild/configure/proftpd/configure.proftpd /usr/local/directadmin/custombuild/custom/proftpd/configure.proftpd

Edit /usr/local/directadmin/custombuild/custom/proftpd/configure.proftpd and change mod_tls to mod_sftp.

cd /usr/local/directadmin/custombuild/
./build clean
./build update
./build proftd

Also, has enyone else experienced the same problems Mopquill has with mod_sftp?
_

This works I have tested it

 

[Spark]

Also you can have standard ftp and SFTP running in tandem as per the mod_sftp documentation:

Example Configuration
When using mod_sftp to handle SFTP connections, you will want to create a separate <VirtualHost> section for the mod_sftp configuration. SSH2 (and thus SFTP) requires a different port than FTP; in order to listen on different ports, proftpd requires different <VirtualHost> sections. You can have multiple <VirtualHost> sections for the same address (IP address or DNS name), just different Port directives.

<IfModule mod_sftp.c>
<VirtualHost a.b.c.d>
SFTPEngine on
SFTPLog /etc/proftpd/sftp/sftp.log

# Configure the server to listen on the normal SSH2 port, port 22
Port 22

# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh_host_rsa_key
SFTPHostKey /etc/ssh_host_dsa_key

# Configure the file used for comparing authorized public keys of users.
SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

# Enable compression
SFTPCompression delayed

# Allow the same number of authentication attempts as OpenSSH.
#
# It is recommended that you explicitly configure MaxLoginAttempts
# for your SSH2/SFTP instance to be higher than the normal
# MaxLoginAttempts value for FTP, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6

</VirtualHost>
</IfModule>

you just create secondary vhost entries for the same IP address

 

[Spark]

Also for those that don't care about having FTP and SFTP side by side like the original tutorial shows you, can skip some steps to make your life easier.

Dont do steps: 4a, 4b, 4c, 4d

Instead put this between the <Global> </Global> tags in /etc/proftpd.conf

<IfModule mod_sftp.c>
SFTPEngine On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
# Enable compression
SFTPCompression delayed
# Allow the same number of authentication attempts as OpenSSH.
#
# It is recommended that you explicitly configure MaxLoginAttempts
# for your SSH2/SFTP instance to be higher than the normal
# MaxLoginAttempts value for FTP, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6
</IfModule>

COMMENT OUT the 'bytes' log in /etc/proftpd.conf as well:
#ExtendedLog /var/log/proftpd/1.2.3.4.bytes WRITE,READ userlog

ALSO COMMENT OUT the bytes log in each VirtualHost entry


Open up /usr/local/directadmin/data/templates/custom/proftpd.vhosts.conf in an editor:

COMMENT OUT:
ExtendedLog |ExtendedLog| WRITE,READ userlog



service restart proftpd


Regards!

 

[frankc420]

This was helpful. Proftpd is now hosting standard FTP, SSL, and SFTP for me.

Thanks!

 

[Roberto67]

Hi, here is how I setup mod_tls (ftpes) and mod_sftp to live together.
First of all, these are my speed test (ftpes seems a bit faster in upload mode):

ftpes
upload: about 22.4 K/s
download: more than 800 K/s

sftps
upload about 18.2 K/s
download: more than 800 K/s

***

My configure options:

./configure \
        --prefix=/usr/local \
        --without-pam --disable-auth-pam \
        --enable-openssl \
        --with-modules=mod_ratio:mod_readme:mod_sftp:mod_tls

***

So, I have two daemons, one for each protocol. I manage the config in this way:

file ftpes.conf

# common stuff goes here
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_tls.c>
    TLSEngine on
    PassivePorts 49152 65534 # in case ftpd is behind a firewall.
    TLSLog /var/log/proftpd/tls.log
    TLSProtocol SSLv3 TLSv1
    TLSRequired ctrl
    TLSRSACertificateFile /usr/local/etc/ssl/certs/proftpd.pem
    TLSRSACertificateKeyFile /usr/local/etc/ssl/certs/proftpd.pem
    TLSVerifyClient off
    TLSRenegotiate none
</IfModule>

file sftp.conf

# common stuff 
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_sftp.c>
        SFTPEngine on
        SFTPLog /var/log/proftpd/sftp.log
        Port 2222
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key
        SFTPCompression delayed
        MaxLoginAttempts 6
</IfModule>

And finally start the two daemons calling their config file respectively:

# /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/ftpes.conf
# /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/sftp.conf

 

[Arieh]

Im testing mod_tls and it doesn't seem to be working on any other IP then the main IP. On the main IP, it connects and shows me the certificate, but when I change the IP it says this:

Commando:	AUTH TLS
Antwoord:	500 AUTH not understood
Commando:	AUTH SSL
Antwoord:	500 AUTH not understood

I tried putting the <if module tls in <global or in the vhost of that other ip, but that isnt allowed apparently. Also it would be nice to have the option to put a different certificate per IP but that's not a priority.

When connecting to the other IP nothing shows up in /var/log/proftpd/proftpd.tls.log, so it somehow tls not enabled at all for those IPs.

Is there something I'm missing about proftpd & diffrent IPs?

 

[interfasys]

I thought I would correct some of the wrong statements made in this thread:

1) It only encrypts the control channel of FTP, leaving the actual data transferred still in clear text.

It is true that FTPS doesn't crypt the transfer channel, and that the ip_conntrack_ftp netfilter module for linux can't track the transfer channel port and eventually open it if closed...

This is completely wrong. You can encrpyt the control AND the data channel. You can encrypt listings as well. If your FTP client doesn't support it, then maybe it's time to switch client.

2) That also causes problems with FTP traversal of firewalls since the firewall can't see which ports are going to be needed, although that can be worked around with PassivePorts configuration in ProFTPD.

This is quite a common problem, that is not directly related to FTPS. It's easy to add passive ports to ProFTPd

3) FTP/TLS support is also less common in FTP clients.

I actually find FTPS to be more common.

@Arieh, maybe you're using implicit SSL in your client and you should switch to Explicit SSL?

 

[Arieh]

I indeed had that before, but that's not the problem now since I only change the IP address and keep the same settings.

 

[nobaloney]

@interfasys:

And I'll add that the easiest way to configure ProFTPd for passive ports isn't to configure it at all, but to allow related ftp ports through the server firewall.

Jeff

 

[Roberto67]

I correct myself. Running ftpes and sftp in two separate daemons create erros. I have proftpd working fine just running one of them in turn. I updated my short guide here: http://notes.sagredo.eu/node/3, I hope it would be useful..

 

[jadamnation]

Basic question about how mod_sftp works

Am giving DA a go - interested in this SFTP / FTP thread.

I really don't like the idea of giving people FTP access, so initially I thought the FTPS (FTP SSL) was a good bet. Problem is that it seems to generate lots of issues with people having incompatible clients etc.

So the idea of mod_sftp - using SSH based security, seemed like a really good idea.

However - I'm a bit confused how this module works.

Is it the same as openssl / SSH - does it just hand everything over to SSH - meaning that users can get a shell, and basically you can't lock them down to their own vsite (they can list files outside their web root)?

What I would like to do is to give the user the SFTP details from his DA username/pw, for them to use these details to securely SFTP in with pretty much any secure file transfer client (without compatibility / firewall problems) - but for them to be locked down to their own website folders - and with no shell access - just like with plain old FTP.

Is mod_sftp going to enable me to do this?

Cheers,

JD

 

[rootbsd]

Is it the same as openssl / SSH - does it just hand everything over to SSH - meaning that users can get a shell, and basically you can't lock them down to their own vsite (they can list files outside their web root)?

What I would like to do is to give the user the SFTP details from his DA username/pw, for them to use these details to securely SFTP in with pretty much any secure file transfer client (without compatibility / firewall problems) - but for them to be locked down to their own website folders - and with no shell access - just like with plain old FTP.

This writeup for proftpd with mod_ssh does not use the OpenSSH daemon at all, client connects to proftpd which is speaking the ssh/sftp protocol itself. This lets you create SFTP users that don't have "real" unix user accounts on the system.

So, it does do what you want.