proftpd

configure proftpd to serve ftp and sftp simultaneously


Using Ubuntu 18.04 LTS and ProFTPD 1.3.5e.

I have ProFTPD serving FTP on ports 20, 21 and running just fine.

When I add in /etc/proftpd/conf.d/sftp.conf, FTP quits working. When I delete the sftp.conf and restart proftpd, FTP starts working again. I conclude that there is something wrong with this conf file.

Also, I want sftp to accept just a login id and password for authentication. How do I do that? I have looked at the SFTPAuthMethods directive and it looks like if I leave it out then it will allow all authentication methods and that is okay with me.

Here is the sftp.conf file:

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed

</IfModule>

What should I change to get SFTP running on port 2222 and continue to have FTP running on ports 20 & 21?

Thanks in advance!

Update:

Based on the excellent feedback I have received in the notes, instead of using the sftp.conf file I have above, I added a wrapper and some other configuration parameters and have put that config into the proftpd.conf file. It reads as follows:

<snip>

 <IfModule mod_sftp.c>
    <VirtualHost 0.0.0.0>
      # The SFTP configuration

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log
        Include /etc/proftpd/sql.conf

        SFTPAuthMethods password keyboard-interactive hostbased publickey

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed
    </VirtualHost>
  </IfModule>

So now the server is answering on FTP ports normally and on port 2222. When I attempt to connect to port 2222 using WinSCP, it fails authentication. Here is the sftp.log file snipped that is generated each time I try to connect.

2020-04-21 21:03:50,340 mod_sftp/0.9.9[13017]: sent server version 'SSH-2.0-mod_sftp/0.9.9'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: received client version 'SSH-2.0-WinSCP_release_5.17.3'
2020-04-21 21:03:50,355 mod_sftp/0.9.9[13017]: handling connection from SSH2 client 'WinSCP_release_5.17.3'
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session key exchange: ecdh-sha2-nistp256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session server hostkey: ssh-rsa
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session client-to-server encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session server-to-client encryption: aes256-ctr
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session client-to-server MAC: hmac-sha2-256
2020-04-21 21:03:51,284 mod_sftp/0.9.9[13017]:  + Session server-to-client MAC: hmac-sha2-256
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]:  + Session client-to-server compression: none
2020-04-21 21:03:51,285 mod_sftp/0.9.9[13017]:  + Session server-to-client compression: none
2020-04-21 21:03:51,957 mod_sftp/0.9.9[13017]: sending acceptable userauth methods: password,keyboard-interactive,hostbased,publickey
2020-04-21 21:03:52,302 mod_sftp/0.9.9[13017]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2020-04-21 21:03:52,322 mod_sftp_pam/0.3[13017]: PAM authentication error (7) for user 'test': Authentication failure


For FTP, I am authenticating successfully from a MySQL database. But the last line of the sftp.log file says that PAM authentication failed for my SFTP attempt. I am just trying to authenticate in the WinSCP client with a login and password that come from MySQL. Does that involve PAM authentication?

I think I am getting close!

Thanks in advance!


Solution

  • Here is the full /etc/proftpd/proftpd.conf that accomplishes my goals as stated above.

    Note that I am also using mod_sql to provide for authentication via MySQL. So there are other configuration files referenced by this config file but are not listed in this posting.

    # cat /etc/proftpd/proftpd.conf
    
    
    
    # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
    # To really apply changes, reload proftpd after modifications, if
    # it runs in daemon mode. It is not required in inetd/xinetd mode.
    #
    
    # Includes DSO modules
    Include /etc/proftpd/modules.conf
    
    # Set off to disable IPv6 support which is annoying on IPv4 only boxes.
    UseIPv6                         on
    # If set on you can experience a longer connection delay in many cases.
    IdentLookups                    off
    
    ServerName                      "hostname"
    # Set to inetd only if you would run proftpd by inetd/xinetd.
    # Read README.Debian for more information on proper configuration.
    ServerType                      standalone
    DeferWelcome                    off
    
    MultilineRFC2228                on
    DefaultServer                   on
    ShowSymlinks                    on
    
    TimeoutNoTransfer               600
    TimeoutStalled                  600
    TimeoutIdle                     1200
    
    DisplayLogin                    welcome.msg
    DisplayChdir                    .message true
    ListOptions                     "-l"
    
    DenyFilter                      \*.*/
    
    # Use this to jail all users in their homes
    DefaultRoot                     ~
    
    # This line will create the user directories of an FTP user if they successfully authenticate but do not have a user directory.
    # See http://www.proftpd.org/docs/howto/CreateHome.html
    # CreateHome off|on [<mode>] [skel <path>] [dirmode <mode>] [uid <uid>] [gid <gid>] [homegid <gid>] [NoRootPrivs]
    CreateHome                      on dirmode 750
    
    # Users require a valid shell listed in /etc/shells to login.
    # Use this directive to release that constrain.
    RequireValidShell               off
    
    # Port 21 is the standard FTP port.
    Port                            21
    
    # In some cases you have to specify passive ports range to by-pass
    # firewall limitations. Ephemeral ports can be used for that, but
    # feel free to use a more narrow range.
    # PassivePorts                  49152 65534
    
    # If your host was NATted, this option is useful in order to
    # allow passive transfers to work. You have to use your public
    # address and opening the passive ports used on your firewall as well.
    # MasqueradeAddress             1.2.3.4
    
    # This is useful for masquerading address with dynamic IPs:
    # refresh any configured MasqueradeAddress directives every 8 hours
    <IfModule mod_dynmasq.c>
    # DynMasqRefresh 28800
    </IfModule>
    
    # To prevent DoS attacks, set the maximum number of child processes
    # to 30.  If you need to allow more than 30 concurrent connections
    # at once, simply increase this value.  Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances                    50
    
    # Set the user and group that the server normally runs at.
    User                            proftpd
    Group                           nogroup
    
    # Umask 022 is a good standard umask to prevent new files and dirs
    # (second parm) from being group and world writable.
    Umask                           022  022
    # Normally, we want files to be overwriteable.
    AllowOverwrite                  on
    
    # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
    # PersistentPasswd              off
    
    # This is required to use both PAM-based authentication and local passwords
    # AuthOrder                     mod_auth_pam.c* mod_auth_unix.c
    
    # Be warned: use of this directive impacts CPU average load!
    # Uncomment this if you like to see progress and transfer rate with ftpwho
    # in downloads. That is not needed for uploads rates.
    #
    # UseSendFile                   off
    
    TransferLog /var/log/proftpd/xferlog
    SystemLog   /var/log/proftpd/proftpd.log
    
    # Logging onto /var/log/lastlog is enabled but set to off by default
    #UseLastlog on
    
    # In order to keep log file dates consistent after chroot, use timezone info
    # from /etc/localtime.  If this is not set, and proftpd is configured to
    # chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
    # savings timezone regardless of whether DST is in effect.
    #SetEnv TZ :/etc/localtime
    
    <IfModule mod_quotatab.c>
    QuotaEngine off
    </IfModule>
    
    <IfModule mod_ratio.c>
    Ratios off
    </IfModule>
    
    
    # Delay engine reduces impact of the so-called Timing Attack described in
    # http://www.securityfocus.com/bid/11430/discuss
    # It is on by default.
    <IfModule mod_delay.c>
    DelayEngine on
    </IfModule>
    
    <IfModule mod_ctrls.c>
    ControlsEngine        off
    ControlsMaxClients    2
    ControlsLog           /var/log/proftpd/controls.log
    ControlsInterval      5
    ControlsSocket        /var/run/proftpd/proftpd.sock
    </IfModule>
    
    <IfModule mod_ctrls_admin.c>
    AdminControlsEngine off
    </IfModule>
    
    #
    # Alternative authentication frameworks
    #
    #Include /etc/proftpd/ldap.conf
    Include /etc/proftpd/sql.conf
    
    #
    # This is used for FTPS connections
    #
    #Include /etc/proftpd/tls.conf
    
    #
    # Useful to keep VirtualHost/VirtualRoot directives separated
    #
    #Include /etc/proftpd/virtuals.conf
    
    # A basic anonymous configuration, no upload directories.
    
    # <Anonymous ~ftp>
    #   User                                ftp
    #   Group                               nogroup
    #   # We want clients to be able to login with "anonymous" as well as "ftp"
    #   UserAlias                   anonymous ftp
    #   # Cosmetic changes, all files belongs to ftp user
    #   DirFakeUser on ftp
    #   DirFakeGroup on ftp
    #
    #   RequireValidShell           off
    #
    #   # Limit the maximum number of anonymous logins
    #   MaxClients                  10
    #
    #   # We want 'welcome.msg' displayed at login, and '.message' displayed
    #   # in each newly chdired directory.
    #   DisplayLogin                        welcome.msg
    #   DisplayChdir                .message
    #
    #   # Limit WRITE everywhere in the anonymous chroot
    #   <Directory *>
    #     <Limit WRITE>
    #       DenyAll
    #     </Limit>
    #   </Directory>
    #
    #   # Uncomment this if you're brave.
    #   # <Directory incoming>
    #   #   # Umask 022 is a good standard umask to prevent new files and dirs
    #   #   # (second parm) from being group and world writable.
    #   #   Umask                           022  022
    #   #            <Limit READ WRITE>
    #   #            DenyAll
    #   #            </Limit>
    #   #            <Limit STOR>
    #   #            AllowAll
    #   #            </Limit>
    #   # </Directory>
    #
    # </Anonymous>
    
    # Include other custom configuration files
    Include /etc/proftpd/conf.d/
    
      <IfModule mod_sftp.c>
        <VirtualHost 0.0.0.0>
          # The SFTP configuration
    
            SFTPEngine on
            Port 2222
            SFTPAuthMethods password
            RequireValidShell               off
            SFTPLog /var/log/proftpd/sftp.log
            Include /etc/proftpd/sql.conf
    
            # Configure both the RSA and DSA host keys, using the same host key
            # files that OpenSSH uses.
            SFTPHostKey /etc/ssh/ssh_host_rsa_key
            SFTPHostKey /etc/ssh/ssh_host_dsa_key
    
            #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
    
            # Enable compression
            SFTPCompression delayed
            DefaultRoot                     ~
        </VirtualHost>
      </IfModule>
    
    # Time stamp - IP Address - Protocol - User Name - UID - Filename - File Sizeo - Response Time in Milliseconds - Transfer Time in Seconds - Transfer Status - Reason for failure if applicable
    #  http://www.proftpd.org/docs/modules/mod_log.html#LogFormat
    LogFormat custom "%{iso8601} %a %{protocol} %u %{uid} %f %{file-size} %R %T %{transfer-status} %{transfer-failure}"
    ExtendedLog /var/log/proftpd/custom.log READ,WRITE custom