2

I'm try to configure proftpd for use with SFTP and use with virtual users, but after try several ways it not works with virtual users. Only works for system users

Some config relative to problem below, and here full proftpd.conf

AuthUserFile /etc/proftpd/passwd.vhosts
<IfModule mod_tls.c>
    TLSEngine on
    TLSRequired on
    TLSRSACertificateFile /etc/ftpd-rsa.pem
    TLSRSACertificateKeyFile /etc/ftpd-rsa-key.pem
    TLSVerifyClient off
    TLSCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    TLSOptions NoSessionReuseRequired
    TLSProtocol TLSv1 TLSv1.1 TLSv1.2
</IfModule>
SFTPEngine         on
SFTPAuthMethods         publickey
SFTPAuthorizedUserKeys  file:/etc/proftpd/sftp.passwd.keys/%u
SFTPLog                 /var/log/proftpd/sftp.log
TransferLog             /var/log/proftpd/sftp-xferlog

For the purpose of testing, I have created a virtual user, castrislegio, associated with the castris system user

castris:PASSWORD_HASH:1004:1004::/home/castris:/usr/libexec/openssh/sftp-server
castrislegio+castris.com:PASSWORD_HASH2:1004:1004:castris:/home/castris/user2:/bin/ftpsh
castrislegio@castris.com:PASSWORD_HASH2:1004:1004:castris:/home/castris/user2:/bin/ftpsh

Also try

castris:PASSWORD_HASH:1004:1004::/home/castris:/usr/libexec/openssh/sftp-server
castrislegio+castris.com:PASSWORD_HASH2:1004:1004:castris:/home/castris/user2:/usr/libexec/openssh/sftp-server
castrislegio@castris.com:PASSWORD_HASH2:1004:1004:castris:/home/castris/user2:/usr/libexec/openssh/sftp-server

But it not work.

 67449929  0 drwx------.   2 root proftpd    51 May 23 12:19 sftp.passwd.keys
 ...
 67449644 4 -rw-rw----. 1 root proftpd 1024 May 23 14:04 castris
 70159270 4 -rw-rw----. 1 root proftpd  512 May 23 14:03 castrislegio@castris.com
 70153716 4 -rw-rw----. 1 root proftpd 1024 May 23 14:03 castrislegio+castris.com

I use this for put key

ssh-keygen -e -f .ssh/id_rsa.pub >> /etc/proftpd/sftp.passwd.keys/castris

When I try access

sftp -v -P 24 -i .ssh/id_rsa castrislegio+castris.com@localhost
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 24.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file .ssh/id_rsa type 1
debug1: identity file .ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 75:87:c9:ef:e7:b1:ae:47:17:0b:e6:8c:e4:6c:2b:7d
debug1: Host '[localhost]:24' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Couldn't read packet: Connection reset by peer

I'm lost about this question. What it's wrong?

abkrim
  • 3,512
  • 7
  • 43
  • 69

1 Answers1

1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

You are not connecting to Proftpd, but to OpenSSH. When you don't specify Port in Proftpd configuration, it will default to port 22 (not the one you are trying to connect using your sftp command.

So you will either need to use different port in the sftp command or in the configuration.

Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • I'use same port for SSH and SFTP. 24 – abkrim May 23 '17 at 19:14
  • That is simply not possible to use the same port for OpenSSH and ProFTPd. Only one of them can work on that port. Move one of them on other port. – Jakuje May 23 '17 at 19:15
  • Ok.. On my proftpd.conf `Port 24`on my ssh conf `Port 24` restart two services and two services it's up. If try connect with a **normal user** I can connect with sftp and port 24 – abkrim May 23 '17 at 19:18
  • Yes, but you are connecting to SFTP server provided by OpenSSH, not the one provided by ProFTPd. – Jakuje May 23 '17 at 19:19