Posted on by drakken

Configure SFTP access with ProFTPd

Since version 1.3.3rc1 ProFTPd have a mod_sftp module. This module implements the core functionalities of the SSH2 protocol and its SFTP subsystem.

Using ProFTPd implementation brings some practical advantages:

  • no need to spawn another OpenSSH daemon on a another port
  • no need to tweak sshd_config to allow chrooted SFTP
  • you can chroot a user into any directory even ones which doesn’t belong to root
  • you can use ‘virtual’ accounts instead of unix ones

Enable SFTP support

Add the following block to /etc/proftpd/proftpd.conf:

SFTPEngine on

Port 115
SFTPLog /var/log/proftpd/sftp.log
TransferLog /var/log/proftpd/sftp-xferlog

# Host Keys
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

# SFTP specific configuration
DefaultRoot ~

I arbitrary chose the port TCP 115 because that the port for SFTP after all (just not the same SFTP) 😉

Choose the authentication method

Like OpenSSH it can be done by password or by public key. For password add the following snippet to /etc/proftpd/proftpd.conf:

# Authentication method
SFTPAuthMethods password
AuthUserFile /etc/proftpd/sftp.passwd

If you prefer using keys:

# Authentication method
SFTPAuthMethods publickey
SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.passwd.keys/%u

Create users accounts

We will use ProFTPd virtual account system. First we create the account file:

touch /etc/proftpd/sftp.passwd
chown proftpd /etc/proftpd/sftp.passwd
chmod go-rwx /etc/proftpd/sftp.passwd

File syntax is very simple:

username:PASSWORD_HASH:UID:GID:Comment for human:/home/user_home:/bin/bash

To generate the password you can use pwgen and hash it with md5 like this:

PASS=$(pwgen -Bs1 15); echo $PASS
mkpasswd --hash=md5 $PASS

UID and GID must be numerical values. You can use value from an actual unix account to map the virtual user to it.

Add user public keys

If you prefer using keys authentication, create a dedicated directory for storing keys:

mkdir /etc/proftpd/sftp.passwd.keys
chown proftpd /etc/proftpd/sftp.passwd.keys
chmod go-rwx /etc/proftpd/sftp.passwd.keys

Then create a file per SFTP user and fill it with the public keys you want. Don’t forget to convert them into RFC4716 format before:

ssh-keygen -e -f key_to_convert.pub > key_in_rfc4716.pub

After all theses modifications, restart ProFTPd and test. Adjust firewall rules accordingly.

Further Reading and sources