HOW-TO: SFTP support in ProFTPD

[jadamnation]

Another question about mod_sftp

Posted a reply but it seems to have got lost!

Thanks for the quick reply! On the face of it mod_sftp seems to give you all the benefits of normal FTP, but secure, and without the compatibility / Firewall problems of using FTPS.

I have a few more questions about mod_sftp:

Looking at this page:

http://www.castaglia.org/proftpd/modules/mod_sftp.html

It seems that mod_sftp does not support the following:

Anonymous
DirFakeUser/DirFakeGroup
MaxRetrieveFileSize/MaxStoreFileSize
UserOwner, GroupOwner

Not too bothered about anonymous - but what do the others mean?

Lack of support for UserOwner, GroupOwner - does that mean using mod_sftp I would not be able to change UID / GID? That would be a deal breaker for me.

Cheers,

JD

 

[nobaloney]

Your replies were both moderated by our anti-spam system, possibly because of the link. I've approved the second and deleted the first as a duplicate.

Jeff

 

[rootbsd]

It seems that mod_sftp does not support the following:

Anonymous
DirFakeUser/DirFakeGroup
MaxRetrieveFileSize/MaxStoreFileSize
UserOwner, GroupOwner

Not too bothered about anonymous - but what do the others mean?

I don't think these are used on 'common' DirectAdmin servers.

Check the docs for detailed explanations. http://www.proftpd.org/docs/directives/linked/by-name.html

UserOwner/GroupOwner is only used to set file ownership of new files to a *different* user than the one logged in. That is my understanding of it.


I updated the instructions in the first post to use custombuild which will give you proftpd 1.3.3c as of today.

 

[rootbsd]

updated first post with current version info

 

[zEitEr]

@rootbsd

Have you ever managed to enable mod_sftp_pam in order to use keyboard-interactive authentication method?
Or you don't use it on CentOS?

 

[rootbsd]

@rootbsd

Have you ever managed to enable mod_sftp_pam in order to use keyboard-interactive authentication method?
Or you don't use it on CentOS?

What are you trying to do with mod_sftp_pam and why? I don't know why you'd want to use keyboard-interactive instead of normal password.

All of the steps in the procedure should work fine for centos.

 

[zEitEr]

@rootbsd,

That's OK now. I've contacted with my FTP-client developer, and an issue was solved. That was the answer:

In fact, EditPlus first tries 'keyboard-interactive' and if it fails re-try
with 'password' method. Your server seems to disconnect when it receives
'keyboard-interactive' request rather than producing an error. We'll try to
make this as an option to avoid such case. I'll get back to you.

With a next release it was solved. For now I don't need 'keyboard-interactive' anymore.

Thanks for your answer and How-To.

 

[nealdxmhost]

I tried this the other day and there was no joy in Mudville for me on this matter. Still trying to figure out what I got wrong.

Updated Dec 2, 2010

We all know plain FTP is insecure and its surprising how much it is still in use today.

DA comes with support for ProFTPD mod_tls however there are several problems with mod_tls. 1) It only encrypts the control channel of FTP, leaving the actual data transferred still in clear text. 2) That also causes problems with FTP traversal of firewalls since the firewall can't see which ports are going to be needed, although that can be worked around with PassivePorts configuration in ProFTPD. 3) FTP/TLS support is also less common in FTP clients.

I'm sure some here have been using SFTP with DirectAdmin however that is done over the system's SSH daemon. The problems with this are 1) users must be given ssh access to use SFTP. 2) You can't restrict SSH access to certain IPs if you have customers needing to use SFTP. 3) It only lets DirectAdmin Users login, if a user creates a child FTP account, it will not work for SFTP.



SFTP hasn't been supported by many common FTP servers such as ProFTPD, until TJ Saunders wrote a mod_sftp for ProFTPD. I've set it up for several people recently and it works really well. It addresses all of the above problems.

The only drawback to this implementation is that all users on the system will need to switch to SFTP. I might try to come up with a setup for running both SFTP and insecure-FTP later if there is demand.


Step 1. Change your ssh port (optional)

I recommend changing your ssh port if you haven't done so already. This is done by changing the Port line in /etc/ssh/sshd_config and restarting sshd. Make sure you know what you are doing before attempting this, since you could lock yourself out of the server.

Step 2. Compile new ProFTPD with mod_sftp instead of mod_tls

Assuming your system has custombuild already installed. If you don't have custombuild, go here to install it.

cd /usr/local/directadmin/custombuild
./build update
perl -pi -e 's/proftpd=no/proftpd=yes/g' options.conf
mkdir -p custom/proftpd
cp configure/proftpd/configure.proftpd custom/proftpd/configure.proftpd
perl -pi -e 's/mod_tls/mod_sftp/g' custom/proftpd/configure.proftpd
./build proftpd

Step 3. Make sure new ProFTPD is working

Restart proftpd, Linux:

 service proftpd restart

FreeBSD:

 /usr/local/etc/rc.d/proftpd restart

Make sure you can still connect to your FTP server. You should see version 1.3.3b:

# ftp myserver.com
Connected to myserver.com (208.86.x.x).
220 ProFTPD 1.3.3e Server ready.
Name (myserver.com):

Step 4a. Change Port in ProFTPD

Open /etc/proftpd.conf in an editor and change the Port to what you want SFTP to use. To make it easy on your users you could use Port 22 since it would be the default in SFTP clients. You could also pick something random such as 3822.

Port                                 22

Step 4b. Enable SFTP in main proftpd.conf

Add the following lines to your /etc/proftpd.conf file, somewhere near the top of the file so its easy to find:

SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

COMMENT OUT the 'bytes' log in /etc/proftpd.conf as well:

#ExtendedLog            /var/log/proftpd/1.2.3.4.bytes WRITE,READ userlog

Step 4c. Enable SFTP in IP-based FTP vhosts

Add the following lines into EACH VirtualHost container in /etc/proftpd.vhosts.conf:

SFTPEngine      On
Port            22
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

The Port should match what you used in Step 4a. Make sure you put these 4 new lines before EACH </VirtualHost> in that file.

ALSO COMMENT OUT the bytes log in each VirtualHost entry

Step 4d. Enable SFTP config in FTP vhost template


Open up /usr/local/directadmin/data/templates/custom/proftpd.vhosts.conf in an editor. This should be a new file that you don't currently have, paste in:

<VirtualHost |ip|>
        ServerName              "|ServerName|"
        AuthUserFile            |AuthUserFile|

        SFTPEngine      On
        Port            22

        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

</VirtualHost>

Again, the Port should match what you used in Step 4a

Step 5. Restart ProFTPD

Restart proftpd, Linux:

 service proftpd restart

FreeBSD:

 /usr/local/etc/rc.d/proftpd restart

Step 6. Test it out

Test it out! If you telnet to the new port you should see a greeting like this:

# telnet myserver.com 22
Trying 208.86.x.x...
Connected to myserver.com.
Escape character is '^]'.
SS´['Å0-mod_sftp/0.9.7
Lß    ç_ªC.ÃÇdiffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14- ...

That is normal. Now use an SFTP client like FileZilla and try it out. You should use the exact same usernames and passwords as you did previously for FTP.


Comments, questions?

 

[zEitEr]

And what exactly troubles you?

 

[rootbsd]

I tried this the other day and there was no joy in Mudville for me on this matter. Still trying to figure out what I got wrong.

At which step did you have questions or problems?

 

[scsi]

You like joy in your mudville?

 

[nobaloney]

Mudville is the home town of the losing team in the Amercian ballad Casey at the Bat (wqikipedia.org).

Oh, somewhere in this favored land the sun is shining bright;
The band is playing somewhere, and somewhere hearts are light,
And somewhere men are laughing, and somewhere children shout;
But there is no joy in Mudville — mighty Casey has struck out.

Jeff

 

[nealdxmhost]

At which step did you have questions or problems?

I completely forgot about this issue until today when I got hit with a PCI compliance issue on this.

Basically what is happening is I follow all the steps and then I attempt to use filezilla and connect to port 22000 (same as my ssh port) with an ftp user and I get a message saying SFTP is not supported.

Should I be using sftp://somedomain.com ????

 

[zEitEr]

I attempt to use filezilla and connect to port 22000 (same as my ssh port) with an ftp user and I get a message saying SFTP is not supported.

Why do you try to connect on SSH port then? You should use the port you defined in proftpd.conf.

Note, proftpd and sshd should listen on different ports, not the same one.

 

[nealdxmhost]

Why do you try to connect on SSH port then? You should use the port you defined in proftpd.conf.

Note, proftpd and sshd should listen on different ports, not the same one.

You are right, I set the port in proftpd.conf to 21000 and in filezilla I put sftp://domainname and 21000 for the port and it worked like a charm!!!