Actualités

[08/09/2017] Breaking news ! Smile décroche le label Happy Trainees 2018

Après le label HappyAtWork, Smile s’offre celui décerné par ses stagiaires et alternants !

[21/07/2017] Smile lance les premiers vélos solaires connectés à l’occasion du Sun Trip Tour 2017

Smile, leader des solutions IoT et open source, confirme sa solide expertise sur le marché de l’embarqué en participant activement à la course de vélos solaires du Sun Trip Tour.

[03/07/2017] Smile remporte le Drupagora d'Or 2017 du meilleur site e-commerce

Le vendredi 30 juin, la 3ème édition des Drupagora d'Or s'est déroulée à Paris.

Toutes les actualités picto
       

Vous avez besoin de mettre à jour votre Lecteur Flash Flash 7

Guillemet ouvrant l'actualité des solutions
et des technologies open source Guillemet fermant
picto

Using SFTP with ProFTPd

ProFTPd is a daemon designed for FTP access. But did you know it also handles the SFTP protocol ? The main advantages over FTP are:

the flows are encrypted (auth and data)
there are no issues about active/passive modes

These reasons make SFTP more appealing than FTP (or FTPS: too complex)

ProFTPd is a daemon designed for FTP access. But did you know it also handles the SFTP protocol ? The main advantages over FTP are:

  • the flows are encrypted (auth and data)
  • there are no issues about active/passive modes

These reasons make SFTP more appealing than FTP (or FTPS: too complex)

ProFTPd also brings enhancements over OpenSSH SFTP chroot:

  • you don't need to expose the port 22 (SSH+SFTP)
  • the settings remain focused on share options
  • you don't need to tweak sshd_config to allow chrooted SFTP
  • you can manage virtual accounts
  • you can chroot into any directory (OpenSSH's SFTP requires a root owner)

Method 1: SFTP with ProFTPd (password auth)

This is the easiest one. It consists in declaring virtual users who will have their own home and own password.

Into /etc/proftpd/proftpd.conf

Now enable SFTP with these settings :

SFTPEngine         onPort               2222SFTPLog            /var/log/proftpd/sftp.logTransferLog        /var/log/proftpd/sftp-xferlog# Host KeysSFTPHostKey        /etc/ssh/ssh_host_rsa_keySFTPHostKey        /etc/ssh/ssh_host_dsa_key# Auth methodsSFTPAuthMethods    passwordAuthUserFile       /etc/proftpd/sftp.passwd# SFTP specific configurationDefaultRoot        ~

I have arbitrarily chosen the port 2222, but you can use any other port that is not used.

Create the user

Now we create the virtual users config file:

touch /etc/proftpd/sftp.passwdchown proftpd /etc/proftpd/sftp.passwdchmod go-rwx /etc/proftpd/sftp.passwd

Now we generate the password, with 'pwgen':

PASS=$(pwgen -Bs1 15); echo $PASSmkpasswd --hash=md5 $PASS

Now create the new virtual user and map his UID and GID on an existing user (i.e. www-data, 33:33):

vi /etc/proftpd/sftp.passwdvirtual1:HASSSSSHHHH:33:33::/var/www/magento/medias:/bin/bash
Restart ProFTPd and test your connexion
/etc/init.d/proftpd restartsftp -P 2222 virtual1@localhost

Method 2: SFTP with ProFTPd (key auth)

Using private/public key brings a much stronger authentication, moreover if you use a passphrase. I will assume that you already have your keys (else: man ssh-keygen). The procedure remains close to the previous one:

Into /etc/proftpd/proftpd.conf

The SFTP configuration is the same as previous method. But there is a change in the section # Auth methods:

SFTPEngine onPort                    2222SFTPLog                 /var/log/proftpd/sftp.logTransferLog             /var/log/proftpd/sftp-xferlog# Host KeysSFTPHostKey             /etc/ssh/ssh_host_rsa_keySFTPHostKey             /etc/ssh/ssh_host_dsa_key# Auth methodsSFTPAuthMethods         publickeySFTPAuthorizedUserKeys  file:/etc/proftpd/sftp.passwd.keys/%u# SFTP specific configurationDefaultRoot             ~
Create the users

Our virtual users are going to be stored in a singular way:

  • one config file per virtual user
  • the filename will be interpreted as login
  • in this file, you will copy any public key you need
  • the user MUST exists in the system as well

In our configuration, these users are stored in the folder /etc/proftpd/sftp.passwd:

mkdir /etc/proftpd/sftp.passwd.keyschown proftpd /etc/proftpd/sftp.passwd.keyschmod go-rwx /etc/proftpd/sftp.passwd.keys

Now we will create a system user. That's where ProFTPD documentation lacks, they don't explain that you need this, nor why. So if we need this physical user it's because there are several points that ProFTPd can't define with "key" users :

  • the system rights for the virtual user (classic)
  • his shell (else he can't interact with the filesystem)
  • his (chrooted) home (the most important point !!)

So let's create the user virtual2 in the operating system. His home will be chrooted. I suggest you create it with a UID > 5000, in order to easily find these SFTP users in /etc/passwd :

adduser --home /var/www/mangento/dir --uid 5000 virtual2

Now, create the user in ProFTPd. Be carefull, ProFTPd will check the virtual user info with the system user. So their name MUST be exactly the same:

touch /etc/proftpd/sftp.passwd.keys/virtual2

Now fill the file with the SSH public keys you want. You need to convert it in RFC4716 style before:

ssh-keygen -e -f id_rsa.pub > /etc/proftpd/sftp.passwd.keys/virtual2

You can also add as many keys as you want:

cat /etc/proftpd/sftp.passwd.keys/virtual2---- BEGIN SSH2 PUBLIC KEY ----Comment: "rsa-key-20120924"AAAAB3NzaC1yc2EAAAABJQAAAIEAu3z7yClfzTgNx18jwcfgSL4L53SsRUAdpbUQuhwdHUgPu1NEcVjbvfdff3fgjlfg5hHpBVGQw2IOV+mXSQ8lty1Oi49vVXlxVaLMn2QS2Ss8daHeAHENth4i3TEffe58jK+JUJutulekOIRaXo+V461zk9hDtrATluPHANl6UpE=---- END SSH2 PUBLIC KEY -------- BEGIN SSH2 PUBLIC KEY ----Comment: "2048-bit RSA"AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ5j8b7rt32s5e8wcv/MzIMRSvL5EmaysD/XtJWxXACZ5m1MKq/SC9rDZdzghjgvsqE4eT3TtIK88h44ztr+tXxW6BKgCS203GgBdV5Ng20a6t06QgBIQ0HlAiTsDW8Rj5Wg18xUsh1NFyx67aI+IAGh58quTd2I9DvKsIyFUsjz9DfLUJAOvz/wEGbNsy//PwLr4YrtYu00+EffehAdf46fsjkYhVhW7lpzIwYc7C7Jpmf4UwyDmPpzWsFZrVokcMGercVF5HJe0ZW2UZOkPYwB4gu1vhdJd972g/+UxdDTLxtYDvtLPMXz7Rc2ixp5jrV3/7ESy48mgoFonNMSr---- END SSH2 PUBLIC KEY ----
Restart ProFTPd and test your connexion
/etc/init.d/proftpd restartsftp -P 2222 virtual2@localhost

Note: proftpd reload is used to crash proftpd. You need to start it then. Therefore restart solution is cleaner.

SFTP and FTP with ProFTPd

If you want to have both FTP and SFTP methods at the same time in ProFTPd, you will need to use a virtual host. First, define your FTP configuration as normally. Then put the whole SFTP configuration into the virtualhost, this way:

# FTP settings[...]<VirtualHost PUBLIC_IP_HERE>    SFTPEngine on        # Usefull option    AllowOverwrite     on  # classical confs  Port                    2222    SFTPLog                 /var/log/proftpd/sftp.log    [...]    </VirtualHost>

SFTP auth key + password

You can mix both authentication methods if you need to. I will not describe the both procedures again, there are just a few directives to adapt in configuration you need in ProFTPd :

# Auth methodsSFTPAuthMethods         publickey passwordSFTPAuthorizedUserKeys  file:/etc/proftpd/sftp.passwd.keys/%uAuthUserFile            /etc/proftpd/sftp.passwd

Then you have to create both virtual users files as described in previous methods above.

See also:

Mathieu Olivier
picto

Commentaires

Soyez la premiere personne à ajouter un commentaire sur cet article.
Ecrire un nouveau commentaire