Configure SFTP access with ProFTPd

Since version 1.3.3rc1 ProFTPd have a mod_sftp module. This module implements the core functionalities of the SSH2 protocol and its SFTP subsystem.

Using ProFTPd implementation brings some practical advantages:

  • no need to spawn another OpenSSH daemon on a another port
  • no need to tweak sshd_config to allow chrooted SFTP
  • you can chroot a user into any directory even ones which doesn’t belong to root
  • you can use ‘virtual’ accounts instead of unix ones

Enable SFTP support

Add the following block to /etc/proftpd/proftpd.conf:

SFTPEngine on

Port 115
SFTPLog /var/log/proftpd/sftp.log
TransferLog /var/log/proftpd/sftp-xferlog

# Host Keys
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

# SFTP specific configuration
DefaultRoot ~

I arbitrary chose the port TCP 115 because that the port for SFTP after all (just not the same SFTP) 😉

Choose the authentication method

Like OpenSSH it can be done by password or by public key. For password add the following snippet to /etc/proftpd/proftpd.conf:

# Authentication method
SFTPAuthMethods password
AuthUserFile /etc/proftpd/sftp.passwd

If you prefer using keys:

# Authentication method
SFTPAuthMethods publickey
SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.passwd.keys/%u

Create users accounts

We will use ProFTPd virtual account system. First we create the account file:

touch /etc/proftpd/sftp.passwd
chown proftpd /etc/proftpd/sftp.passwd
chmod go-rwx /etc/proftpd/sftp.passwd

File syntax is very simple:

username:PASSWORD_HASH:UID:GID:Comment for human:/home/user_home:/bin/bash

To generate the password you can use pwgen and hash it with md5 like this:

PASS=$(pwgen -Bs1 15); echo $PASS
mkpasswd --hash=md5 $PASS

UID and GID must be numerical values. You can use value from an actual unix account to map the virtual user to it.

Add user public keys

If you prefer using keys authentication, create a dedicated directory for storing keys:

mkdir /etc/proftpd/sftp.passwd.keys
chown proftpd /etc/proftpd/sftp.passwd.keys
chmod go-rwx /etc/proftpd/sftp.passwd.keys

Then create a file per SFTP user and fill it with the public keys you want. Don’t forget to convert them into RFC4716 format before:

ssh-keygen -e -f key_to_convert.pub > key_in_rfc4716.pub

After all theses modifications, restart ProFTPd and test. Adjust firewall rules accordingly.

Further Reading and sources

[MySQL] Replication over SSL

Prerequisites

  • Mysqld 5.1 or superior
  • Openssl 0.9.8e or superior
  • an already running mysql replication

Check SSL support

mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_key       |          |
+---------------+----------+
7 rows in set (0.01 sec)

DISABLED means mysqld has ssl support but it’s just not enabled. If you have NO instead then you don’t have SSL support.

Generate certificates

Create a /etc/mysql/certs directory on both master and slave node.

Generate a key and a CA certificate:

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

Generate a server key and certificate:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

And finally a client key and certificate:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Copy ca-cert.pem, client-cert.pem and client-key.pem to the slave node.

Mysqld configuration

On the master node add into /etc/mysql/my.cnf into the [mysqld] section:

ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem

Restart mysqld.

On the slave node, add the following lines:

ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql-ssl/client-cert.pem
ssl-key=/etc/mysql-ssl/client-key.pem

Restart mysqld.

Last step: tell to replication process to use exclusively a SSL connection:

GRANT USAGE ON *.* TO 'slave_user'@'%' REQUIRE SSL;
FLUSH PRIVILEGES;

Secret Order of the Ninja Code Monkeys

We are society’s most elite programmers, we are the guardian of 0 and 1, we protect your systems when you aren’t around, we are who you can turn to when you need help with your application. Our members are widely diversified and dispersed all over the world and our mission is to make this world a better place using out keen and sometimes supernatural coding styles along with our true spirits and extreme discipline. Together we are making a difference !

The Order of the Ninja Code Monkeys has been in existence for many years now and have thousands of members. Now we are taking our outreach even farther by opening the nether portal to enlightenment outside our practicing realm and into cyberspace.

The Secret Order of the Ninja Code Monkeys follow very specific rules :

  • We accomplish the mission, failure is not an option
  • We never write any SPECS
  • We NEVER comment our code (you figure it out)
  • We NEVER free (good) food
  • We NEVER give real estimates of how long it will take
  • We NEVER tell how we did it (you won’t understand)
  • We NEVER Bring Harm to a user- by choice
  • We live to be challenged
  • Working Applications must be modified
  • The newer the technology, the more dangerous we become
  • We strive for peace, harmony, and enlightment in all things
  • Always being Honor to yourself

Now get your t-shirt and join us or ask a ninja what it’s to be a ninja.