Discussion:
[Proftpd-user] questions about sftp
Shaoping Xie
2016-09-29 15:51:12 UTC
Permalink
 Dear All,
     I am working on setup of sftp within proftpd.    Here are some questions:        1. I like to run proftpd in a different user rather than root. According to the document, SFTPHostKey should be the value from the system sshd. The system sshd is under root. Should I generate the keys under root or the proftpd owner?        2. The system has sshd running (also sftp). I don't understand how the sftp of proftpd is distinguished from the sftp of system (OS)?
    Thank you,    Shaoping
TJ Saunders
2016-09-29 20:35:33 UTC
Permalink
1. I like to run proftpd in a different user rather than root. According to the document, SFTPHostKey should be
the value from the system sshd. The system sshd is under root. Should I generate the keys under root or the proftpd owner?
The SFTPHostKey can point to *any* SSH host key; it's only _convenient_
(but not necessary) to reuse the system host keys.

For your needs, you will probably want to generate new hostkeys for your
non-root-running ProFTPD. Note that it does not matter which user
_generates_ the keys; it only matters what ownership/permissions are on
those files. A non-root user may not have the permissions to read the
system host keys.
2. The system has sshd running (also sftp). I don't understand how the sftp of proftpd is distinguished from the sftp of
system (OS)?
You will need to have ProFTPD's mod_sftp listening on a port different
from your system's SFTP server, in order to distinguish between them.

Hope this helps!
TJ
Shaoping Xie
2016-09-30 02:05:46 UTC
Permalink
Hi TJ,
    Thank you for your answers.
    I still have some problems:        1. For Hostkey: It works when I use the private key. The problem  is that it always asks for the passphrase. How can I get rid of it since I don't want it in automation?        2. I have assigned a different port as 1022 for sftp. I have found that I can log on the system via sftp at both 22 and 1022. However, can I disable sftp access at port 22?        3. I cannot make chroot work for sftp although it works as expected for ftp login. How can I make chroot work as with ftp setup? I can go to any directory if permitted via sftp at either 22 or 1022.        4. sftp log is not as good as expected. I like sftp log as ftp log. How can I make it happen?
    Thank you,    Shaoping
 
Post by Shaoping Xie
1. I like to run proftpd in a different user rather than root. According to the document, SFTPHostKey should be
the value from the system sshd. The system sshd is under root. Should I generate the keys under root or the proftpd owner?
The SFTPHostKey can point to *any* SSH host key; it's only _convenient_
(but not necessary) to reuse the system host keys.

For your needs, you will probably want to generate new hostkeys for your
non-root-running ProFTPD.  Note that it does not matter which user
_generates_ the keys; it only matters what ownership/permissions are on
those files.  A non-root user may not have the permissions to read the
system host keys.
Post by Shaoping Xie
2. The system has sshd running (also sftp). I don't understand how the sftp of proftpd is distinguished from the sftp of
system (OS)?
You will need to have ProFTPD's mod_sftp listening on a port different
from your system's SFTP server, in order to distinguish between them.

Hope this helps!
TJ
J***@bertelsmann.de
2016-09-30 07:27:25 UTC
Permalink
Hi.
Post by Shaoping Xie
3. I cannot make chroot work for sftp although it works as expected for ftp login. How can I make chroot work as with ftp setup? I can go to any directory if permitted via sftp at either 22 or 1022.
For this, comment or remove the line stating „Subsystem sftp 
“ in /etc/ssh/sshd_config (or wherever your sshd_config is).

Regards
—
Jan Dreyer
Shaoping Xie
2016-09-30 14:24:59 UTC
Permalink
Hi Jan,
    Yes, I can disable the native sftp. However, I still have the chroot problem.
    Thank you,    Shaoping  

On Friday, September 30, 2016 3:27 AM, "***@bertelsmann.de" <***@bertelsmann.de> wrote:


Hi.

Am 30.09.2016 um 04:05 schrieb Shaoping Xie <***@yahoo.com>:
        3. I cannot make chroot work for sftp although it works as expected for ftp login. How can I make chroot work as with ftp setup? I can go to any directory if permitted via sftp at either 22 or 1022.

For this, comment or remove the line stating „Subsystem sftp 
“ in /etc/ssh/sshd_config (or wherever your sshd_config is).
Regards
— Jan Dreyer
TJ Saunders
2016-09-30 17:11:57 UTC
Permalink
Post by Shaoping Xie
Yes, I can disable the native sftp. However, I still have the chroot problem.
By definition, a non-root user *cannot* use the chroot(2) system call.

If you require chroot-like behavior for a non-root daemon, you might
look into using the mod_vroot module:

https://github.com/Castaglia/proftpd-mod_vroot/

Cheers,
TJ
Shaoping Xie
2016-09-30 17:41:21 UTC
Permalink
  proftpd cannot start properly by non-root user. Therefore, proftpd runs under root.chroot works as expected for ftp but for sftp. Have I done something wrong within sftp module?
#######################################################################################
# sftp module
#**************************************************************************************
  <IfModule mod_sftp.c>
    <VirtualHost nyvmapd72.opco.com>
      SFTPEngine on
      SFTPLog /var/tx/log/admin/sftp.log      # Configure the server to listen on the normal SSH2 port, port 22
      Port 5022
      DefaultRoot                     ~/data      # Configure the RSA, DSA, and ECDSA host keys, using the same host key
      # files that OpenSSH uses.
      SFTPHostKey /var/tx/etc/ssh/ssh_host_rsa_key
      SFTPHostKey /var/tx/etc/ssh/ssh_host_dsa_key      # Configure the file used for comparing authorized public keys of users.
      SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys      # Enable compression
      SFTPCompression delayed      # Allow the same number of authentication attempts as OpenSSH.
      #
      # It is recommended that you explicitly configure MaxLoginAttempts
      # for your SSH2/SFTP instance to be higher than the normal
      # MaxLoginAttempts value for FTP, as there are more ways to authenticate
      # using SSH2.
      MaxLoginAttempts 6    </VirtualHost>
  </IfModule>
##################################################################################################        By the way, I cannot pass over passphrase with ssh-keygen. I have not had the same problem with Solaris but now working in Linux.
    Thank you,    Shaoping
Post by Shaoping Xie
Yes, I can disable the native sftp. However, I still have the chroot problem.
By definition, a non-root user *cannot* use the chroot(2) system call.

If you require chroot-like behavior for a non-root daemon, you might
look into using the mod_vroot module:

  https://github.com/Castaglia/proftpd-mod_vroot/

Cheers,
TJ
TJ Saunders
2016-09-30 18:43:08 UTC
Permalink
  proftpd cannot start properly by non-root user.
Why not? What errors do you see? Have you followed everything in the
nonroot howto?

http://www.proftpd.org/docs/howto/Nonroot.html

TJ
Shaoping Xie
2016-09-30 19:48:01 UTC
Permalink
It is not a big problem.Now, the major problem is chroot and key file. Without addressing them, I cannot move forward. In addition, sftp log information is not good. I hope that sftp can be logged as ftp. Thank you,Shaoping   
Post by Shaoping Xie
  proftpd cannot start properly by non-root user.
Why not?  What errors do you see?  Have you followed everything in the
nonroot howto?

  http://www.proftpd.org/docs/howto/Nonroot.html

TJ
TJ Saunders
2016-09-30 21:00:11 UTC
Permalink
Post by Shaoping Xie
In addition, sftp log information is not good. I hope that sftp can be logged as ftp.
No, it cannot and will not. SFTP is a completely different protocol
than FTP.

You can get _some_ information logged the same way for both FTP and SFTP
(TransferLog, ExtendedLog), but not others.

TJ

Matus UHLAR - fantomas
2016-09-30 13:52:27 UTC
Permalink
please, switch to plaintext mail when communicating in mail lists.
yahoo has som e problems converting html mail to plaintext.
    I still have some problems:        1. For Hostkey: It works when I use
the private key. The problem  is that it always asks for the passphrase.
How can I get rid of it since I don't want it in automation?        2. I
have assigned a different port as 1022 for sftp. I have found that I can
log on the system via sftp at both 22 and 1022. However, can I disable
sftp access at port 22?        3. I cannot make chroot work for sftp
although it works as expected for ftp login. How can I make chroot work
as with ftp setup? I can go to any directory if permitted via sftp at
either 22 or 1022.        4. sftp log is not as good as expected. I like
sftp log as ftp log. How can I make it happen?
1. use host key that does not have passphrase.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Shaoping Xie
2016-09-30 15:45:23 UTC
Permalink
  Hi Matus,
    It seems that Yahoo does not have the option for text format.     I will regenerate the key and see whether the problem can be solved.
    Thank you,    Shaoping


On Friday, September 30, 2016 9:54 AM, Matus UHLAR - fantomas <***@fantomas.sk> wrote:


please, switch to plaintext mail when communicating in mail lists.
yahoo has som e problems converting html mail to plaintext.
Post by Shaoping Xie
    I still have some problems:        1. For Hostkey: It works when I use
the private key.  The problem  is that it always asks for the passphrase.
How can I get rid of it since I don't want it in automation?        2.  I
have assigned a different port as 1022 for sftp.  I have found that I can
log on the system via sftp at both 22 and 1022.  However, can I disable
sftp access at port 22?        3.  I cannot make chroot work for sftp
although it works as expected for ftp login.  How can I make chroot work
as with ftp setup?  I can go to any directory if permitted via sftp at
either 22 or 1022.        4.  sftp log is not as good as expected.  I like
sftp log as ftp log.  How can I make it happen?
1. use host key that does not have passphrase.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Loading...