Jump to content
Froxlor Forum
  • 0

Configuring Proftpd to act as SFTP Server


naytsyrhc
 Share

Question

Hi there,

 

just wanted to share some information about setting up proftpd as sftp server with froxlor users.

 

I searched for this solution but couldn't find anything that suited my needs.

 

So, what I wanted to achieve was the following:

  • Using Froxlor FTP-Account management
  • No SSH Access for FTP-Users
  • Chroot for FTP-Users
  • No FTP Protocol  (to avoid Firewall-Config-Nightmares)
  • No interference with standard ssh access

The setup was quite easy/straight-forward:

 

1st edit /etc/proftpd/modules.conf and add following line:

LoadModule mod_sftp.c

 2nd edit /etc/proftpd/sql.conf and add following line:

Include /etc/proftpd/sftp.conf

3rd create file /etc/proftpd/sftp.conf with following content:

<IfModule mod_sftp.c>
SFTPEngine				on
SFTPLog					/var/log/proftpd/sftp.log
SFTPHostKey				/etc/ssh/ssh_host_dsa_key
SFTPHostKey				/etc/ssh/ssh_host_rsa_key
</IfModule>

4th restart proftpd:

service proftpd restart

Now your users are able to login to SFTP using standard FTP Port 21 (and you only need to open that port in your firewall), SSH File Transfer Protocol and will only be able to write to the FTP-Directory (i.e. customers home).

 

Hope this helps someone.

Link to comment
Share on other sites

7 answers to this question

Recommended Posts

  • 0

Secondly, I want to add the ability to "publish" DNS zones to an external server. For example... I have several Froxlor hosting servers each with their own DNS zones. I also have dedicated public DNS servers that will do the actual work. Froxlor would connect to these DNS servers and setup slave zones on them.

Link to comment
Share on other sites

  • 0

Hi,

thanks for the config, exactly this I was searching for.

But it do not work, I get only a "Protocol error" when I try to connect.

 

Here is the log of the connection attempt:

Nov 12 18:36:33 mod_sftp/0.9.8[28999]: using '/etc/ssh/ssh_host_dsa_key' as DSA hostkey
Nov 12 18:36:33 mod_sftp/0.9.8[28999]: using '/etc/ssh/ssh_host_rsa_key' as RSA hostkey
Nov 12 18:36:33 mod_sftp/0.9.8[28999]: error using DisplayLogin 'welcome.msg': No such file or directory
Nov 12 18:36:33 mod_sftp/0.9.8[28999]: received client version 'SSH-2.0-WinSCP_release_5.7.6'
Nov 12 18:36:33 mod_sftp/0.9.8[28999]: handling connection from SSH2 client 'WinSCP_release_5.7.6'
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session key exchange: diffie-hellman-group-exchange-sha256
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session server hostkey: ssh-rsa
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session client-to-server encryption: aes256-ctr
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session server-to-client encryption: aes256-ctr
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session client-to-server MAC: hmac-sha1
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session server-to-client MAC: hmac-sha1
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session client-to-server compression: none
Nov 12 18:36:33 mod_sftp/0.9.8[28999]:  + Session server-to-client compression: none
Nov 12 18:36:36 mod_sftp/0.9.8[28999]: authentication request for user 'apollox' blocked by 'USER' handler
Nov 12 18:36:36 mod_sftp/0.9.8[28999]: disconnecting (Protocol error)

EDIT:

Problem solved

Link to comment
Share on other sites

  • 0

Hi there,

 

just wanted to share some information about setting up proftpd as sftp server with froxlor users.

 

I searched for this solution but couldn't find anything that suited my needs.

 

So, what I wanted to achieve was the following:

  • Using Froxlor FTP-Account management
  • No SSH Access for FTP-Users
  • Chroot for FTP-Users
  • No FTP Protocol  (to avoid Firewall-Config-Nightmares)
  • No interference with standard ssh access

The setup was quite easy/straight-forward:

 

1st edit /etc/proftpd/modules.conf and add following line:

LoadModule mod_sftp.c

 2nd edit /etc/proftpd/sql.conf and add following line:

Include /etc/proftpd/sftp.conf

3rd create file /etc/proftpd/sftp.conf with following content:

<IfModule mod_sftp.c>
SFTPEngine				on
SFTPLog					/var/log/proftpd/sftp.log
SFTPHostKey				/etc/ssh/ssh_host_dsa_key
SFTPHostKey				/etc/ssh/ssh_host_rsa_key
</IfModule>

4th restart proftpd:

service proftpd restart

Now your users are able to login to SFTP using standard FTP Port 21 (and you only need to open that port in your firewall), SSH File Transfer Protocol and will only be able to write to the FTP-Directory (i.e. customers home).

 

Hope this helps someone.

 

Hello Men, one question. This works with the port 21 or 22?

 

regards,

Link to comment
Share on other sites

  • 0

Hello Men, one question. This works with the port 21 or 22?

 

regards,

 

First post, at the end: 

 

 

Now your users are able to login to SFTP using standard FTP Port 21 (and you only need to open that port in your firewall), SSH File Transfer Protocol and will only be able to write to the FTP-Directory (i.e. customers home).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By ThGr
      i have managed to setup froxlor with working FTP and SFTP in parallel.
      My /etc/proftpd/sftp.conf 
      <IfModule mod_sftp.c> <VirtualHost 0.0.0.0 fe80::1> SFTPEngine on SFTPLog /var/log/proftpd/sftp.log SFTPHostKey /etc/ssh/ssh_host_ecdsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key Port 2222 AllowOverwrite on DefaultRoot /var/customers/webs </VirtualHost> </IfModule> my /etc/ssh/sshd_config contains
      # override default of no subsystems - chagned by tg # Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match User testkunde2 ChrootDirectory /var/customers/webs ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no  
      This is working ritght now. User testkunde2 is jailed in /var/customers/webs
       
      But what i need is a multi user solution.
      Question 1: how i could express the match expression for all froxlor users?
      I´ve tried 
      Match Group www-data ChrootDirectory /var/customers/webs ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no which don´t match for any reason. As result user is not jailed in any way and have reading root dir access.
      User looks like 
      getent passwd testkunde2 testkunde2:x:10001:10001:th gr:/var/customers/webs/testkunde2/:/bin/sh  
      Question 2: chroot is only working if dir is owned by root but froxlor home dirs are owned by user. How could this be managed?
      This is a question about my personal understanding from froxlor / ssh / sftp. Froxlor home dirs are owned by it´s users. Is there any solution to integrate SFTP user jails for the homedirs of the users?
       
      Thank´s to all in advance!
       
       
×
×
  • Create New...