Proftpd with mod_sftp don't start

napcok

Verified User
Joined
Dec 1, 2017
Messages
9
Location
Poland
Hello :)
CentOS 7.4 64bit

Following this howto -> https://help.directadmin.com/item.php?id=439

Proftp don't restart.
Code:
systemctl status proftpd -l
...proftpd[10200]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 13 of '/etc/proftpd.sftp.conf'
...proftpd[10200]: warning: unable to include '/etc/proftpd.sftp.conf': Operation not permitted
...proftpd[10200]: fatal: SFTPHostKey: unable to check '/etc/ssh/ssh_host_dsa_key': No such file or directory on line 90 of '/etc/proftpd.conf'

Code:
ls -l /etc/ssh/ssh_host_*
-rw-r----- 1 root ssh_keys  227 Nov 24 00:49 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root      162 Nov 24 00:49 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r----- 1 root ssh_keys  387 Nov 24 00:49 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root       82 Nov 24 00:49 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1675 Nov 24 00:49 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root      382 Nov 24 00:49 /etc/ssh/ssh_host_rsa_key.pub

How to fix that?
 
  • Like
Reactions: Kal
Last edited:
I had the same issues, with an additional twist… OpenSSH keys don't work with mod_sftp (see: https://github.com/proftpd/proftpd/issues/793), which means I had to recreate both keys in older PEM format like this:
Code:
ssh-keygen -m PEM -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -m PEM -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 2048
It would be great if DirectAdmin made it easier to switch to ProFTPD with mod_sftp. I imagine it's a fairly common requirement.
 
I had the same issues, with an additional twist… OpenSSH keys don't work with mod_sftp (see: https://github.com/proftpd/proftpd/issues/793), which means I had to recreate both keys in older PEM format like this:
Code:
ssh-keygen -m PEM -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -m PEM -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 2048
It would be great if DirectAdmin made it easier to switch to ProFTPD with mod_sftp. I imagine it's a fairly common requirement.
Wouldn't this overwrite the default keys of the ssh server? And if you look at the last comment in the issue you mentioned, I suggest this solution:

First do step 1 of the DA how to on sftp proftpd

then create custom keys (maybe only the first is actually needed?)

Code:
mkdir /etc/proftpd/
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_rsa_key -N '' -t rsa -b 2048
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_dsa_key -N '' -t dsa -b 1024
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

And then to finish up, change in /etc/proftpd.sftp.conf the key directive and restart ftp:

Code:
sed -i '/SFTPHostKey/c\    SFTPHostKey /etc/proftpd/ssh_host_rsa_key' /etc/proftpd.sftp.conf && systemctl restart proftpd

(note; you dont have to change anything in /usr/local/directadmin/custombuild/custom/proftpd/ for this to be consisten)

You can now do the test-steps as mentioned in the DA how to.
 
P.S. personally I would also recommend adding the below to the "ifmod ssl" block

TLSOptions NoSessionReuseRequired

in /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf

and then

Code:
cp /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf /etc/proftpd.conf && systemctl restart proftpd

this prevents timeouts because FileZilla will not reuse the SSL session correctly sometimes.

My opinion: I think at this moment FTPS is not really useful. ProFTP does not support SNI and PureFTP does not support session reusing. Both give Filezilla users bad warnings or you have to use the main certificate wich also has downsides IMHO.

SFTP works only when doing manual changes. So it would be really great to fix up the how to on DA-help page.

Discussion: I am very happy with DA and have been using it for almost two decades. And I am OK with the new licensing model. But the small things cost a lot of time and effort and I wish this would not be needed. I have a huge documentation on how to install, use and maintain DA and all the things are actually very minor things. As an example


Could be, just like this, be fixed in minutes. And it keeps on costing people precious time as you can read in the last post.

If anybody at DA needs help, I am willing to work on some things to get it a bit more polished. I understand that security related issues has higher prio of course. Maybe letting a few people help clean up the minor things would really add to the easy of use of DA.
 
  • Like
Reactions: Kal
Thanks Richard. I actually gave up on ProFTPD with mod_sftp, and went back to using SFTP which I'm happy with. I can't quite remember why I didn't just do that in the first place. (No I didn't. See below.)
 
Last edited:
Hee Kal, thank you for the github link to the relevant issue :)

You probably mean you went back to FTPS? I think the two biggest problem with FTPS in general are:
  1. it allows insecure connections if the clients wants this (might be configurable)
  2. i personally keep getting problems with timeouts and other errors when a lot of users are on it. Difficult to debug. With pureFTP it was sometimes because of session reusing. In general it is strange because it uses stuff like control and data channels etc.
  3. accepting of certificates due to lack of SNI on Proftp.
So even if I wanted FTP, there is no way of doing it the right way at this time with FileZilla (and that is used a lot). That is because I really want people to use their own domain when connecting to (S)FTP(S) so I can move their package from one server to another without them having to change anything (settings regarding mailserver and FTP server).

A guy here says it very nicely:

FTP is a stupid protocol and needs to die.

It has served humanity its purpose and now its time to hand it over to a better protocol :LOL:

I am really thinking on disabling all FTP(S) and moving on to SFTP for all clients.

Kind regards and have a nice day
 
You probably mean you went back to FTPS? …
No, I don't use FTPS for the same reason you gave (1): there's no guarantee (with Explicit SSL) that the client will enforce an encrypted channel.

What I meant was vanilla SFTP over SSH. Ah, but my memory fails me again (well, you did reopen quite an old thread! 😄)… It seems I did stick with ProFTPD and mod_sftp which allows me to disable shell access for users, but still give them SFTP. As a bonus, I can also use different ports for SSH and SFTP.
 
But the small things cost a lot of time and effort and I wish this would not be needed. I have a huge documentation on how to install, use and maintain DA …
Yeah, it's not for the faint of heart, that's for sure. My installation and maintenance notes are mind-bogglingly huge as well.
 
Just an update; Things might have changed a bit on the side of CB. Or at least I had some difficulty getting things up and running or understanding my previous post. So, just to be sure another writedown. As I see it, this is at the moment the best way to make everything work correctly (using as much as possible the default configfiles as intended by DA/CB):

First we need to set proftpd as our ftp server and use a custom file that builds proftp with the sftp module

cd /usr/local/directadmin/custombuild ./build update ./build set ftpd "proftpd" mkdir -p custom/proftpd wget -O custom/proftpd/configure.proftpd http://files.directadmin.com/services/all/sftp/configure.proftpd.sftp chmod 755 custom/proftpd/configure.proftpd

now we build proftpd

./build proftpd

Proftpd is now broken due to the key problem. So we are creating our own keys to prevent the error that was the reason this post in the first place:

mkdir /etc/proftpd/ ssh-keygen -m PEM -f /etc/proftpd/ssh_host_rsa_key -N '' -t rsa -b 2048 ssh-keygen -m PEM -f /etc/proftpd/ssh_host_dsa_key -N '' -t dsa -b 1024 ssh-keygen -m PEM -f /etc/proftpd/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

change the configfile so it uses the new keys

sed -i '/SFTPHostKey/c\ SFTPHostKey /etc/proftpd/ssh_host_rsa_key' /etc/proftpd.conf

Now you can EITHER disable FTPS completely:

perl -pi -e 's/TLSEngine.*/TLSEngine off/' /etc/proftpd.conf

OR add a variable that seems to fix some problems with Filezilla for TPS(e)S

sed -i '/TLSEngine on.*/aTLSOptions NoSessionReuseRequired' /etc/proftpd.conf

If you want to change the port, now is the time. Do this also in /etc/proftpd.conf because there is no /etc/proftpd.sftp.conf anymore.

make sure rebuild of proftpd will survive our changes. To be sure, let's just rebuild it now.

mkdir /usr/local/directadmin/custombuild/custom/proftpd/conf/; cp /etc/proftpd.conf /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf ./build proftpd

make sure proftp runs correctly

ps aux | grep proftpd

All done!

Now, if for some reason you want to load possible new versions of the default conf and buildfile (maybe once a year? Or simply during every update?), simply do:

rm /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf

and re-do all the commands above. EXCEPT the part where you build the keys (the three ssh-keygen commands)

P.S. the clamav part in the documentation is not compatible with this approach i think.
 
Last edited:
  • Like
Reactions: BBM
Just an update; Things might have changed a bit on the side of CB. Or at least I had some difficulty getting things up and running …

Yes, it seems a lot has changed. ProFTPd completely stopped working for me with recent updates, as it did for some other users, with the error 'Server 'ProFTPd': cannot support both FTPS (TLSEngine on) and SFTP (SFTPEngine on) for the same host'.

But now it looks like you don't have to use custom configs just to make SFTP work. See this comment from @smtalk, where he says:
It's been fixed in alpha build, we're still thinking if we should auto-remove custom configs in next update of DA, if there are any configs for SFTP. The fix with alpha would be:

Code:
da update alpha
rm -f /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf
rm -f /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.sftp.conf
./build proftpd

Not sure what version number alpha was when that was posted in December, but switching to alpha and removing the custom proftpd.conf file certainly did the trick. I tore out a lot of hair before I stumbled across that comment!
 
Strange, I do not have to switch branches for everything to work. You are sure simply "resetting" everything does not help? You are running CentOS 7?
 
Just tested it on Cloud Linux 8, Current branch, new install

only additional line to docs install guide I used was

Code:
chmod 600 /etc/ssh/ssh_host_rsa_key

as it already has a key there

it should work the same on AlmaLinux as it is the base branch for Cloud Linux
 
In my "how to" I create a key in another location. This to prevent certain problems. Maybe it helps if you also use this. Try to follow the steps exactly. I hope this works and if you have any tips on how to change the how to so it works, please let me know.
 
Strange, I do not have to switch branches for everything to work. You are sure simply "resetting" everything does not help? You are running CentOS 7?
Yeah, it's definitely working in the current version now. I was previously on stable, so that may have been the problem. Anyway, the upshot is I don't think you need to download custom configs and throw salt over your shoulder to make SFTP work anymore. :) (I'm running AlmaLinux 8.)
 
Last edited:
Back
Top