How do I configure ProFTPD as a SFTP-only server with system users, PK auth, and custom umasks?

Question

So, I managed to configure ProFTPD to allow password login for system users. I have two issues: umask and pk auth.

Include /etc/proftpd/modules.conf

UseIPv6             on
ServerName          "Debian"
ServerType          standalone
MultilineRFC2228    on
DefaultServer       on
Port                21
PassivePorts        49152 49407
MaxInstances        30
SystemLog           /var/log/proftpd/proftpd.log

<IfModule mod_ctrls.c>
    ControlsEngine      off
    ControlsMaxClients  2
    ControlsLog         /var/log/proftpd/controls.log
    ControlsInterval    5
    ControlsSocket      /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
    AdminControlsEngine off
</IfModule>

<Global>
    UseFtpUsers         on
    IdentLookups        off
    DeferWelcome        off
    ShowSymlinks        on
    TimeoutNoTransfer   600
    TimeoutStalled      600
    TimeoutIdle         1200
    DisplayLogin        welcome.msg
    DisplayChdir        .message true
    ListOptions         "-l"
    DenyFilter          \*.*/
    DefaultRoot         ~
    RequireValidShell   off
    User                proftpd
    Group               nogroup
    Umask               007 007
    AllowOverwrite      on
    # AuthOrder           mod_sql.c
    CreateHome          on
    TransferLog         /var/log/proftpd/xferlog

    <IfModule mod_quotatab.c>
        QuotaEngine off
    </IfModule>

    <IfModule mod_ratio.c>
        Ratios off
    </IfModule>

    <IfModule mod_delay.c>
        DelayEngine on
    </IfModule>

    <IfModule mod_xfer.c>
        MaxStoreFileSize    70 Mb
        HiddenStores        on
        DeleteAbortedStores on
    </IfModule mod_xfer.c>

    <Directory /htdocs/*/>
        Umask 0007
        <Limit MKD XMKD RMD XRMD SITE_CHMOD>
            DenyUser !ftpadmin
        </Limit>
    </Directory>
</Global>

Include /etc/proftpd/sftp.conf

and sftp.conf is as follows

<IfModule mod_sftp.c>
    <VirtualHost $(hostname)>
        Port 23
        SFTPEngine on
        SFTPAuthorizedUserKeys file:/home/%u/.ssh/authorized_keys
        SFTPHostKey /etc/ssh/ssh_host_dsa_key
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
        SFTPCompression delayed
        SFTPLog /var/log/proftpd/sftp.log
    </VirtualHost>
</IfModule mod_sftp.c>

[umask] However, when a user logs in and puts a file, the uploaded file takes the permissions that it had originally (I'm testing using OS X and Linux as clients, so that makes sense). I have not tested the pure FTP solution, but I'd rather provide SFTP.

[pk auth] When I attempt a PK authentication, the client correctly offers the right key, and says

debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:Eft1LIOozSylL20lfMc9gUdl3gKtd0zEdeyNtCb1p8Q

but then concludes with

debug1: Authentications that can continue: password

which confuses me to no end. On the server side, I have

no account for user 'sftpuser' found
sending userauth failure; remaining userauth methods: password

which is funny because the user does indeed exist (and can successfully perform a password login). I even converted my OpenSSH key to the RFC4716 format that ProFTPD appears to prefer.

I admit I have a grand total of about 4 hours of experience with ProFTPD, but I've been reading all I could, and the config files make sense to me. This all is running in a Docker container. What am I missing?

Stackoverflow is for help with software development. You should consider asking this on [sf] or [unix.se]. — Kenster, Apr 13 '16 at 16:49
@Kenster: you're right, thanks. Can I move this myself? — Jakuje: any sftp client, like FileZilla or cli sftp. — Morpheu5, Apr 14 '16 at 09:26

score 2 · Accepted Answer · answered Apr 13 '16 at 21:57

Unlike FTP, SFTP uploads often contain their own permissions as part of the SFTP OPEN request. To make SFTP uploads behave more like FTP uploads, with regard to ProFTPD configuration (e.g. Umask), you want to configure mod_sftp to ignore the upload permissions using the IgnoreSFTPUploadPerms SFTPOptions:

<IfModule mod_sftp.c>
  ...
  SFTPOptions IgnoreSFTPUploadPerms
  ...
</IfModule>

For the publickey authentication issue, the SFTPLog you configured should have more clues as to what might be the issue. Perhaps the configured file does not exist, or does not have the necessary permissions? Keep in mind that ~/.ssh/authorized_keys is often used by OpenSSH, and that the format that file is different that what ProFTPD desires. For that reason, I often use:

SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

i.e. a different file from what OpenSSH wants, in a different format (RFC 4716), to avoid any possible confusion/collision.

Hope this helps!

For some reasons I was missing the SFTPOptions. Also, due to a typo, the authorized_keys was not being filled with keys… I can't recall how may times I spelled `ssh-keygen` wrong… (I generate the script converting OpenSSH keys to RCF4716 because they are one-liners, thus easier to plug into a bash script. I'll be more sophisticated in the future :) Thanks! — Morpheu5, Apr 14 '16 at 09:50

How do I configure ProFTPD as a SFTP-only server with system users, PK auth, and custom umasks?

1 Answers1