Proftpd with mod_sftp don't start

napcok

Verified User
Joined
Dec 1, 2017
Messages
7
Location
Poland
Hello :)
CentOS 7.4 64bit

Following this howto -> https://help.directadmin.com/item.php?id=439

Proftp don't restart.
Code:
systemctl status proftpd -l
...proftpd[10200]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 13 of '/etc/proftpd.sftp.conf'
...proftpd[10200]: warning: unable to include '/etc/proftpd.sftp.conf': Operation not permitted
...proftpd[10200]: fatal: SFTPHostKey: unable to check '/etc/ssh/ssh_host_dsa_key': No such file or directory on line 90 of '/etc/proftpd.conf'

Code:
ls -l /etc/ssh/ssh_host_*
-rw-r----- 1 root ssh_keys  227 Nov 24 00:49 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root      162 Nov 24 00:49 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r----- 1 root ssh_keys  387 Nov 24 00:49 /etc/ssh/ssh_host_ed25519_key
-rw-r--r-- 1 root root       82 Nov 24 00:49 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1675 Nov 24 00:49 /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 root root      382 Nov 24 00:49 /etc/ssh/ssh_host_rsa_key.pub

How to fix that?
 
  • Like
Reactions: Kal

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,089
Location
Netherlands Germany
Last edited:

Kal

Verified User
Joined
Nov 18, 2019
Messages
115
Location
Australia
I had the same issues, with an additional twist… OpenSSH keys don't work with mod_sftp (see: https://github.com/proftpd/proftpd/issues/793), which means I had to recreate both keys in older PEM format like this:
Code:
ssh-keygen -m PEM -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -m PEM -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 2048
It would be great if DirectAdmin made it easier to switch to ProFTPD with mod_sftp. I imagine it's a fairly common requirement.
 

Richard L

Verified User
Joined
Oct 28, 2006
Messages
8
I had the same issues, with an additional twist… OpenSSH keys don't work with mod_sftp (see: https://github.com/proftpd/proftpd/issues/793), which means I had to recreate both keys in older PEM format like this:
Code:
ssh-keygen -m PEM -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -m PEM -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 2048
It would be great if DirectAdmin made it easier to switch to ProFTPD with mod_sftp. I imagine it's a fairly common requirement.
Wouldn't this overwrite the default keys of the ssh server? And if you look at the last comment in the issue you mentioned, I suggest this solution:

First do step 1 of the DA how to on sftp proftpd

then create custom keys (maybe only the first is actually needed?)

Code:
mkdir /etc/proftpd/
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_rsa_key -N '' -t rsa -b 2048
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_dsa_key -N '' -t dsa -b 1024
ssh-keygen -m PEM -f /etc/proftpd/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

And then to finish up, change in /etc/proftpd.sftp.conf the key directive and restart ftp:

Code:
sed -i '/SFTPHostKey/c\    SFTPHostKey /etc/proftpd/ssh_host_rsa_key' /etc/proftpd.sftp.conf && systemctl restart proftpd

(note; you dont have to change anything in /usr/local/directadmin/custombuild/custom/proftpd/ for this to be consisten)

You can now do the test-steps as mentioned in the DA how to.
 

Richard L

Verified User
Joined
Oct 28, 2006
Messages
8
P.S. personally I would also recommend adding the below to the "ifmod ssl" block

TLSOptions NoSessionReuseRequired

in /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf

and then

Code:
cp /usr/local/directadmin/custombuild/custom/proftpd/conf/proftpd.conf /etc/proftpd.conf && systemctl restart proftpd

this prevents timeouts because FileZilla will not reuse the SSL session correctly sometimes.

My opinion: I think at this moment FTPS is not really useful. ProFTP does not support SNI and PureFTP does not support session reusing. Both give Filezilla users bad warnings or you have to use the main certificate wich also has downsides IMHO.

SFTP works only when doing manual changes. So it would be really great to fix up the how to on DA-help page.

Discussion: I am very happy with DA and have been using it for almost two decades. And I am OK with the new licensing model. But the small things cost a lot of time and effort and I wish this would not be needed. I have a huge documentation on how to install, use and maintain DA and all the things are actually very minor things. As an example


Could be, just like this, be fixed in minutes. And it keeps on costing people precious time as you can read in the last post.

If anybody at DA needs help, I am willing to work on some things to get it a bit more polished. I understand that security related issues has higher prio of course. Maybe letting a few people help clean up the minor things would really add to the easy of use of DA.
 
  • Like
Reactions: Kal

Kal

Verified User
Joined
Nov 18, 2019
Messages
115
Location
Australia
Thanks Richard. I actually gave up on ProFTPD with mod_sftp, and went back to using SFTP which I'm happy with. I can't quite remember why I didn't just do that in the first place. (No I didn't. See below.)
 
Last edited:

Richard L

Verified User
Joined
Oct 28, 2006
Messages
8
Hee Kal, thank you for the github link to the relevant issue :)

You probably mean you went back to FTPS? I think the two biggest problem with FTPS in general are:
  1. it allows insecure connections if the clients wants this (might be configurable)
  2. i personally keep getting problems with timeouts and other errors when a lot of users are on it. Difficult to debug. With pureFTP it was sometimes because of session reusing. In general it is strange because it uses stuff like control and data channels etc.
  3. accepting of certificates due to lack of SNI on Proftp.
So even if I wanted FTP, there is no way of doing it the right way at this time with FileZilla (and that is used a lot). That is because I really want people to use their own domain when connecting to (S)FTP(S) so I can move their package from one server to another without them having to change anything (settings regarding mailserver and FTP server).

A guy here says it very nicely:

FTP is a stupid protocol and needs to die.

It has served humanity its purpose and now its time to hand it over to a better protocol :LOL:

I am really thinking on disabling all FTP(S) and moving on to SFTP for all clients.

Kind regards and have a nice day
 

Kal

Verified User
Joined
Nov 18, 2019
Messages
115
Location
Australia
You probably mean you went back to FTPS? …
No, I don't use FTPS for the same reason you gave (1): there's no guarantee (with Explicit SSL) that the client will enforce an encrypted channel.

What I meant was vanilla SFTP over SSH. Ah, but my memory fails me again (well, you did reopen quite an old thread! 😄)… It seems I did stick with ProFTPD and mod_sftp which allows me to disable shell access for users, but still give them SFTP. As a bonus, I can also use different ports for SSH and SFTP.
 

Kal

Verified User
Joined
Nov 18, 2019
Messages
115
Location
Australia
But the small things cost a lot of time and effort and I wish this would not be needed. I have a huge documentation on how to install, use and maintain DA …
Yeah, it's not for the faint of heart, that's for sure. My installation and maintenance notes are mind-bogglingly huge as well.
 
Top