Is it possible to use SFTP with Virtualmin??

49 posts / 0 new
Last post
#1 Mon, 03/02/2015 - 14:03
-eclipse-

Is it possible to use SFTP with Virtualmin??

Hi

I have tried to create an SCP user only within an users Virtual Server, but when I log on with this user using SFTP the home directory is / (root). Isn't it possible to change the home directory to match the specific VPS home directory as with the normal FTP user?

Have anyone tried to use SFTP and if so, what can I do to provide this extra layer of security to my users.

Thanks in advance.

  • Tim
Mon, 03/02/2015 - 15:14
andreychek

Howdy,

Yup, it's possible to have a user who can access the server via SSH, SCP, and SFTP.

In each case, when logging in as that user, it should default to logging you into that user's home directory.

You may want to verify that the user's homedir is set as expected, and that you aren't seeing any errors in the logs.

If something occurred where that user doesn't have permission to access their homedir, it could drop them to "/" instead.

-Eric

Mon, 03/02/2015 - 17:59
-eclipse-

Hi Eric

The home directory was set to automatic and should be /home/[virtualservername] But I get logged on to / (root) when logging in.

I then tried to do a manual change of the "subdirectory of servers home" to /home/[virtualservername] for the specific user, but then get an error. - Failed to save mailbox : User's home directory is relative to the domain, and so must not start with a /

So how do I validate the home directory, it works fine with the normal FTP user for that specific virtualserver?

Thanks in advance.

  • Tim
Mon, 03/02/2015 - 22:12
andreychek

Howdy,

Hmm, what kind of user is this? Is this a Virtual Server owner, and website access user, or a standard user (ie, what process did you use to create this user)?

Also, do you have the same problem if you try logging into SSH/SFTP as another user?

-Eric

Tue, 03/03/2015 - 02:58
-eclipse-

Hi Eric

I just tried to add two extra accounts and those seems to work as intended? There must be something wrong with the first account I created, which has full access to / (root). The other two accounts only have access to /home/[virtualservername]/homes/[username]

The funny thing is that I have created test.[virtualservername] and test2.[virtualservername] (the first one gives the full root access) and when I tries to reset the password for the test account it tells me that there is already a folder called /home/[virtualservername]/homes/test

There may be a dead bug somewhere here.

I have given you SSH access to our server using the "enable remote login". Are you still behind the following IP's 67.188.12.52 207.192.73.169

The virtualserver in question is eccodresscode

PS. Its still not possible to attach images.

  • Tim
Mon, 03/09/2015 - 13:30
jimdunn
  • comment remove, due to hostile reply
Sat, 03/07/2015 - 06:15
fakemoth
fakemoth's picture

For me SFTP "just works" maybe you have some problem in your proftpd.conf with the default home...

If you are using it how I am, that is. I only have the sftp module for proftpd loaded, mo messing around with the sshd config.

Don't take the name of root in vain...

Sat, 03/07/2015 - 06:25
fakemoth
fakemoth's picture

For me SFTP "just works" maybe you have some problem in your proftpd.conf with the default home...

Or maybe you in fact used only ssh, and not the sftp module in proftpd, do not confuse those; that is how you ended up in /

I only have the sftp module for proftpd loaded, no messing around with the sshd config.

PS: forget about FTPS, SFTP is so much better: only one port so firewalls left intact and/or no stupid modules in iptables, everything secured so on. I was thinking "why the hell was I using FTP(S)"??? FTP and FTPS should have died 20 years ago... That's not a protocol nowadays, that's the weird thing that your colleagues specialized in networking are laughing at :)

Don't take the name of root in vain...

Sat, 03/07/2015 - 06:51
fakemoth
fakemoth's picture

IMPORTANT! Joe, Jamie, andreychek you should seriously consider making SFTP the default file transfer technology in Virtualmin:

-FTP(S) requires a range of high ports opened - that implies you don't have a firewall anymore; or to use something like ftp_conntrack in iptables, but if you have a different firewall in FRONT of the server, that doesn't help you anymore; and if you are using FTPS, the firewall can't really listen for FTP traffic to open ports (it is encrypted). Yeah, I know: CCC, but I rather not trust that all the firewalls I put in front of my server (just for fun) work with that; cause they don't. So FTPS is difficult for most people to configure. And FTP sends everything in plain text. Never mind it was designed in '70s...

-webDAVS for me sucks big time as you have to let loose the rights on directories - but this is a no-no because that's what keeps a web server working, not letting scripts influence other virtual servers/directories/files. It seems too me like a serious security issue, that's how mass defaces are done. And I decided not to use it.

-so SFTP is the only thing we should use. Hope some more people agree with me, and you would consider this. Posted also in "Blue Skies".

Don't take the name of root in vain...

Sun, 03/08/2015 - 06:51
Welshman
Welshman's picture

FTP is not secure, agreed with fakemoth, SFTP all the way.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Sun, 03/08/2015 - 10:45
fakemoth
fakemoth's picture

Please +1 it here https://www.virtualmin.com/node/36457 so the nice people at Virtualmin can see that we really want this.

Don't take the name of root in vain...

Mon, 03/09/2015 - 13:31
jimdunn
  • comment remove, due to hostile reply
Mon, 03/09/2015 - 01:35
fakemoth
fakemoth's picture

@jimdunn I beg to differ! SSH can be jailed too, but it is a lot of work to do it. You seem to confuse two things here:

-"FTP over SSH" - this shouldn't be used; in fact you are logging in SSH, on the same port used by SSH, and yes there are difficulties to configure every user and group; in fact this function it is better to be disabled in SSH!

-SFTP "Secure File Transfer Protocol" as the SFTP module for Proftpd; the FTP server (Proftpd) can be configured (easily) to use SFTP, on a DIFFERENT port fom SSH; there are no problems here as it respects the way (FTP or FTPS) it was working, including user access and rights!

-sometimes people often confuse the previous two (not your case, but sometimes it happens) with FTPS "File Transfer Protocol over SSL" - this is just FTP encrypted.

Please read my previous post, here is the link again as https://www.virtualmin.com/node/36457

PS: oh my, I see you already posted... there too!

Don't take the name of root in vain...

Mon, 03/09/2015 - 13:32
jimdunn
  • comment remove, due to hostile reply
Mon, 03/09/2015 - 08:01
fakemoth
fakemoth's picture

@jimdunn ...yawn... read here http://www.virtualmin.com/node/36457

Don't take the name of root in vain...

Wed, 03/11/2015 - 04:40
-eclipse-

Hi FakeMoth

It seems that my question has started a live debate here. @FakeMoth, so what should I do to give an user access to his / her virtual site using SFTP instead of normal FTP and / or SSH?

Looking forward to hear from you.

  • Tim
Wed, 03/11/2015 - 16:13
jimdunn
  • remember, for best security, use SSL key pairs with SSH
Thu, 03/12/2015 - 00:35
fakemoth
fakemoth's picture

@-eclipse- Hi, you can follow this tutorial https://www.digitalocean.com/community/tutorials/how-to-configure-proftp... ; I for myself replaced the key authentication with the password one, so I wasn't changing too many things for my users:

SFTPAuthMethods password

Don't take the name of root in vain...

Thu, 03/12/2015 - 06:00
Joe
Joe's picture

I'm not opposed to configuring SFTP in ProFTPd, by default, in Virtualmin. It's not something that's been brought up much (I use ssh and scp, and never touch FTP, I would have booted FTP out of the system 10 years ago if I thought I wouldn't be strung up by my toes by users that have FTP as part of their normal workflow).

I doubt we can convince everyone to use it, as users are real stubborn, but we can make it available by default.

I've added it to my todo list. It'll probably be an install time or post-install wizard time, item. So, for folks who are already up and running, you probably want to go ahead and enable it manually (it's really easy to enable it and use it).

--

Check out the forum guidelines!

Thu, 03/12/2015 - 08:21
fakemoth
fakemoth's picture

@Joe - if you don't mind - yes this should be done as it is fairly easy to set it up. But please (not trying to hyjack the thread just caught ya around here) can we do something about the File Manager first?

I am asking and posting and stuff (I am also tired by... myself really, I get you :) for years. Now you know it doesn't work in Chromium (now way bigger than Firefox), because Google decided to drop Java, and all the Linux people can't use it properly because it has issues with Ice Tea. And it might happen to flash also, so HTML5 is the answer here.

Are you at least working on something, can you tell us something about this?

Now that we have a beautiful theme (Ilia's Authentic) will we get a working, nice File Manager (with an included very usefull text editor)?

It is necessary, but will also give us the opportunity to laugh our arses @cPanel :D

Things you should really find a replacement in the panels: -File Manager -SSH login (the Java applet) -didn't touch it lately because it deleted a few times, by itself, my /etc directory, but I guess the old Java Graphical Console in Cloudmin is still there https://www.virtualmin.com/node/23097 ?

Don't take the name of root in vain...

Fri, 03/13/2015 - 22:07 (Reply to #20)
Joe
Joe's picture

There is already a pretty good replacement for the SSH Login, which I thought we'd already made available by default in Virtualmin systems, but I'll have to check to be sure. Basically, AJAXTerm is a great replacement which only needs JavaScript.

We're also looking into adding WebSockets support to the Webmin web server, which will make some of this interactive UI stuff nicer. A good editor is high on my list of things I'd like to see, for sure, and there are actually a few good JavaScript editors out there now, though I think they all require node.js on the server-side, which is more weight than we'd be able to include in Webmin, but it might be possible to make a package available for Virtualmin, or maybe just an optional module. Porting the node.js backend to Perl and having it run under the Webmin server would also be an option, but I believe it would be extremely time-consuming and it's such an infrequently requested thing that I can't really justify focusing on it to the exclusion of other stuff.

Porting File Manager to JavaScript is a huge job. It will happen, for sure. How long it'll take, I dunno. None of us are particularly strong on JavaScript. But, having Ilia taking over most of the theme work for the time being frees me up to spend some time on other stuff.

The graphical console in Cloudmin has a Flash and Java version (both of which I also hate), but they do work, and we are able to distribute them. There are several new-ish HTML5/JavaScript VNC clients out there, most of which aren't suitable for various reasons (licensing, Java on the server-side or other server-side dependencies that are untenable). But, I just found noVNC, while googling to be sure we weren't missing anything promising. This one actually looks very good for our needs. I'm gonna experiment with it soon and will hopefully be able to work on adding it as an option. I would love to kill Flash and Java in everything we ship. The only good thing about them is that they work (or did, historically), and were available. Also Jamie is very comfortable with Java, which is not true of anybody else working on Webmin/Virtualmin/Cloudmin.

--

Check out the forum guidelines!

Fri, 03/13/2015 - 22:26 (Reply to #21)
Joe
Joe's picture

Oh, also, I don't know about the bug in the file manager...did you ever file a ticket about it? I don't remember it ever coming up in our weekly meetings, so I'm not sure any of us were ever aware of it. I try to stay on top of the forums, but I sometimes miss stuff because we get so much mail, forum traffic, tickets, etc. that three of us can't really keep up with all of it...filing bugs about bugs makes it much easier for us to know when we've missed something important; deleting /etc would be really freakin' important).

And, Jamie is under orders to stay out of the forums unless we link him to them for a specific thing, because it's such a tie sink and we need him coding every free moment. So, if me or Eric don't catch a bug mention and escalate it to the ticket tracker, it doesn't get caught. So, put bugs into the tracker when you find them.

--

Check out the forum guidelines!

Sat, 03/14/2015 - 03:12 (Reply to #22)
fakemoth
fakemoth's picture

Thanks for your answers. No I didn't file a bug, at that time was so angry that I dropped Cloudmin ☺ BTw tried a few times the Ajax ssh stuff. It is awfull, at least on openSuse 13.1 x64 and latest Chromium: can't do shit, pardon me, because of some weird lag, which prevents me even typing; and when updating for example or running anything for a long time, it freezes. It is unusable and kind of scary.

I can't stress enough the need for a new file manager with an integrated editor. We are still waiting, you must aggree here, that this discussions are going on for years now...

I promise not to post anything in the forums for a whole year, and spare you of my "feedback", if you would solve this one

Don't take the name of root in vain...

Fri, 03/13/2015 - 09:58
Welshman
Welshman's picture

Not sure why I keep agreeing with fakemoth but I do.

The file manager is a great utility and is great for clients who don't know how to do thngs SSH for removing things in a fast manner.

The SSH login, do we need it at all?

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Fri, 03/13/2015 - 11:23
andreychek

Howdy,

We are indeed looking into improving the filemanager, that's something that will happen. We would like it to not be Java-based either :-)

Regarding Welshman's SSH question -- it may not be necessary at all in some setups. In that case, the SSH login option can be disabled on those servers. We're not going to disable that by default since some folks do want that, but in cases where it's not needed, it's no problem to disable that altogether.

-Eric

Mon, 03/16/2015 - 07:54
-eclipse-

Hi fakemoth

Thanks for the url https://www.digitalocean.com/community/tutorials/how-to-configure-proftp...

ProFTPd is already configured and used in my VirtualMin instance. Secondly, the proftpd.conf file is located under /etc/ and not in /etc/proftpd/ So can I just create the sftp.conf file in /etc/???

Thanks in advance.

  • Tim
Mon, 03/16/2015 - 08:59
fakemoth
fakemoth's picture

Well I didn't create anything, I just added to the main proftpd.conf ;) But I suppose you can as long as you specify the path.

Don't take the name of root in vain...

Mon, 03/16/2015 - 08:58
-eclipse-

Hi fakemoth

So you just added the configuration from the sftp.conf directly in the /etc/proftpd.conf file?

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        SFTPAuthMethods publickey

        SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed

</IfModule>
  • Tim
Mon, 03/16/2015 - 09:07 (Reply to #28)
fakemoth
fakemoth's picture

Yes, But in my case I wanted users to login by using their old FTP/SFTP password so replace the coresponding section with:

SFTPAuthMethods password
#SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

To be clear: this it to use passwords (like in FTP) for logins. And you can drop also the generating access keys part, unless you really want it and need it. I was after the smoothest transition possible for my users and so it was.

Don't take the name of root in vain...

Mon, 03/16/2015 - 09:11
-eclipse-

Hi fakemoth

Just what I need. All our users are using FTP (at the moment) but some have asked for the SFTP option, but still want to use the old username / password as you describe above. When adding the configuration to the proftpd.conf file, do I need to be aware of any changes within the virtualmin users area, when creating new users for SFTP usage?

  • Tim
Mon, 03/16/2015 - 09:26
-eclipse-

Hi fakemoth

Hmm, I added the following to the /etc/proftpd.conf file

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log
       
        SFTPAuthMethods password

        # Enable compression
        SFTPCompression delayed

</IfModule>

did a /etc/init.d/proftpd restart created a new user (FTP only) and tried to logon with that on port 2222 no success... :( No connection could be make because the target machine actively refused it.

So where did it go wrong? Do I have to create the user as an user on the server instead? Please be advised that I do the SFTP on port 2222 internal so there is no firewall rules in between.

  • Tim
Mon, 03/16/2015 - 10:15 (Reply to #31)
Joe
Joe's picture

You can check to see if it's listening on that port:

netstat -ln | grep 2222

And, then, if it is, you can check to see if it's accessible from your client machine (maybe there's a firewall you don't know about):

nmap address.of.server

I would also check the proftpd log and messages for any clues about failures.

--

Check out the forum guidelines!

Tue, 03/17/2015 - 08:14 (Reply to #32)
-eclipse-

Hi Joe

When I do the following command

netstat -ln | grep 2222

I don't see anything... So it looks like it doesn't listening on port 2222 even though I have added it to the proftpd.conf file.

  • Tim
Mon, 03/16/2015 - 09:52
fakemoth
fakemoth's picture

No other changes (for the first question).

Hmmm, are you sure you are connecting with some client that is SFTP aware, can you test with Filezilla for example? And yes the user should be a system user, locally created, just like for FTP... I don't think I get it...

You should get at least the pop-up about the SSH keys, did you got that? What are your logs saying?

Don't take the name of root in vain...

Mon, 03/16/2015 - 10:06
-eclipse-

Hi fakemoth

In the bottom of the /etc/proftpd.conf file I have added the following lines

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        #SFTPHostKey /etc/ssh/ssh_host_rsa_key
        #SFTPHostKey /etc/ssh/ssh_host_dsa_key

        #SFTPAuthMethods publickey

        SFTPAuthMethods password
        #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed

</IfModule>

Have I commented to much out?

I have tried with filezilla as described in the tutorial URL you sent to me. https://www.digitalocean.com/community/tutorials/how-to-configure-proftp...

Network error:Software caused connection abort

I don't get any popup regarding SSH keys? The following error I see in the /var/log/proftp/sftp.log

Mar 16 15:55:50 mod_sftp/0.9.7[14209]: no available host keys, unable to handle session

I have also commented out the following line in /etc/ssh/sshd_config

Subsystem sftp /usr/lib/openssh/sftp-server

  • Tim
Mon, 03/16/2015 - 10:17
fakemoth
fakemoth's picture

Yeah you did:

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        #SFTPAuthMethods publickey

        SFTPAuthMethods password
        #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed

</IfModule>

Those are your servers keys :) I was refering to the client keys, for authentication only with keys, nvm I corrected it for you. Also be sure, that is the actual location for your keys (check if they are there).

Second please comment back the line for SSH, like this. And just forget about the regular SSH - that is where you get a shell; in the SFTP module from proftpd you don't.

# Subsystem sftp /usr/lib/openssh/sftp-server

Don't take the name of root in vain...

Tue, 03/17/2015 - 08:24
-eclipse-

Hi fakemoth

I have changed the proftpd.conf file as described above, added in the bottom of the file.

<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        #SFTPAuthMethods publickey

        SFTPAuthMethods password
        #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed

</IfModule>

I have also commented the line for SSH again (/etc/ssh/sshd_config) so it looks like the following.

# Subsystem sftp /usr/lib/openssh/sftp-server

The SSH keys are located in the folder as setup in the config file.

Then I have restarted the proftpd service.

The command netstat -ln | grep 2222 doesn't give me anything.

Secondly i don't get any new log in /var/log/proftp/sftp.log and FileZilla still gives me the error : Network error: Connection refused.

What do I do wrong here?

It should be easy to setup doing the above changes, but I can't get it to work...

  • Tim
Tue, 03/17/2015 - 08:26
-eclipse-

Hi Joe and fakemoth

Regarding firewall, I don't have the firewall (iptables) active on the virtualmin server and the client I am using is on the same network, 2 ip's in between. So no Internet, WAN or anything in between.

  • Tim
Thu, 03/19/2015 - 06:23
-eclipse-

Hi

I have given up to get ProFTPD to work with SFTP. It will not start the SFTPengine on port 2222, no error logs or anything useful.

  • Tim
Thu, 03/19/2015 - 06:34
fakemoth
fakemoth's picture

Well there isn't really nothing else to it, so... I don't know what to say. I still think that somehow you have that port closed... or something... you aren't in the same VLAN maybe or stuff like that... I really can't say - but you should try to make it work as I would mark it as"critical".

Try it on a test machine also? Or in a virtual one?

Don't take the name of root in vain...

Fri, 03/20/2015 - 04:43
-eclipse-

Hi Fakemoth

I took a new look at the setup today and I managed to get it working :) What I found out was that the module mod_sftp.c was not loaded. That's the reason the server was not listening on port 2222

# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
   LoadModule mod_sftp.c

After I removed the # from the line above and restarted the services sshd, proftpd I was able to logon with a normal FTP user using SFTP on port 2222.

Success all over :)

Below is what I had to do. Uncomment the line below in /etc/proftpd.conf

# Support for the SSH2, SFTP, and SCP protocols, for secure file transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp.html)
   LoadModule mod_sftp.c

Attach the below code in /etc/proftpd.conf

<IfModule mod_sftp.c>
         SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        #SFTPAuthMethods publickey

        SFTPAuthMethods password
        #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed
</IfModule>

Commented the line below for SSH in the file /etc/ssh/sshd_config

# Subsystem sftp /usr/lib/openssh/sftp-server

Restart the 2 services sshd and proftpd

service sshd restart
service proftpd restart

Then it works :)

Unbelievable that I didn't see the module in the proftpd.conf file before.

  • Tim
Fri, 03/20/2015 - 04:53
-eclipse-

Hi again

Will the normal FTP on port 21 not work while using the SFTP option above?

  • Tim
Fri, 03/20/2015 - 07:14
-eclipse-

Hi all

I managed to get both FTP and SFTP working at the same time. I just added the < virtualhost a.b.c.d > tag in the < ifmodule > configuration. Where a.b.c.d represent the IP of the server.

<IfModule mod_sftp.c>
   <virtualhost a.b.c.d>
        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        #SFTPAuthMethods publickey

        SFTPAuthMethods password
        #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

        # Enable compression
        SFTPCompression delayed
   </virtualhost>
</IfModule>
  • Tim
Fri, 03/20/2015 - 05:53
fakemoth
fakemoth's picture

Glad you did it! Didn't think about that setting - was suspecting network issues. But I dropped the FTP for good, closed ports, etc as this was the point, right? :D

Don't take the name of root in vain...

Thu, 04/23/2015 - 22:15
Joe
Joe's picture

Not that I want to revive this chaotic thread (or the really grumpy one that it links to), but I just wanted to chime in that I've committed changes to virtualmin-base on both CentOS/RHEL and Debian/Ubuntu to enable this by default.

It will not go into current operating system installs for at least another few days (and older systems will never get it, as there have been too many changes in virtualmin-base for me to be comfortable rolling it out without some testing), but Debian 8 (coming in a few days) will have SFTP enabled on port 2222 immediately after installation.

This will not effect already installed systems, so if you're already running Virtualmin and want this feature enabled in ProFTPd, add the following to the end of proftpd.conf (or sftpd.conf in /etc/proftpd/conf.d if you have such a directory):

LoadModule mod_sftp.c
<IfModule mod_sftp.c>

        SFTPEngine on
        Port 2222
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

        # Enable compression
        SFTPCompression delayed

</IfModule>

And restart the proftpd server. Note that this is somewhat simplified from some of the other examples that have been posted and linked, and less prone to user error or confusion (some of the examples only allow key-based authentication, which is beyond many users comfort zone).

--

Check out the forum guidelines!

Mon, 04/27/2015 - 02:32
fakemoth
fakemoth's picture

This is good news indeed, thanks Joe; will gladly remove any link offensive, it seems I blew some steam here against exactly 2 users in the last weeks that were escalating discussions with personal accusations. This is not the place, agreed.

What link are you referring to, the 2012 post with the graphical console?

Don't take the name of root in vain...

Wed, 12/07/2016 - 05:53
Rhandy

LoadModule mod_sftp.c

SFTPEngine on Port 2222 SFTPLog /var/log/proftpd/sftp.log # Configure both the RSA and DSA host keys, using the same host key # files that OpenSSH uses. SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys # Enable compression SFTPCompression delayed

Ok I can use this, but I have to create keys for users by hand.

Any way for Virtualmin auto create keys for users?

Wed, 12/07/2016 - 15:34
Rhandy

I try to create one script to put on server creation: Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run before making changes to a server:

BUT I CAN´T GET USER PASSWORD ON CREATION -> #VIRTUALSERVER_PASS is always empty

#!/bin/ksh

####### CREATE SSH KEYS FOR PROFTD - SFTP USE ###################

if [ ! "$VIRTUALSERVER_PARENT" ]
then
  if   [ "$VIRTUALSERVER_ACTION" == "CREATE_DOMAIN" ]
  then
    if [ ! "$VIRTUALSERVER_CREATED" ]
    then

          mkdir -p /$VIRTUALSERVER_HOME/.ssh
          ssh-keygen -t rsa -b 4096 -N $VIRTUALSERVER_PASS -f /$VIRTUALSERVER_HOME/.ssh/mysshkey
         sudo ssh-keygen -e /$HOME/.ssh/mysshkey.pub | sudo tee /etc/proftpd/authorized_keys/$VIRTUALSERVER_DOM
        echo " VIRTUAL SERVER DOM = "$VIRTUALSERVER_DOM
        echo " VIRTUAL SERVER USER =" $VIRTUALSERVER_USER
        echo "VIRTUAL SERVER HOME =" $VIRTUALSERVER_HOME
        echo "VIRTUAL SERVER PASS ="$VIRTUALSERVER_PASS ### >>>>>> empty
        echo "Setting up $VIRTUALSERVER_DOM to  environment for sftp"
        echo " .. done"
    fi
  fi
fi
Wed, 12/07/2016 - 18:23
Rhandy

Ok

Is done!!

I create one CUSTOM FIELD = PASSSSH

and script

#!/bin/sh

if [ "$VIRTUALSERVER_PARENT" = "" ]; then
  if [ "$VIRTUALSERVER_ACTION" = "CREATE_DOMAIN" ]; then
         cd $VIRTUALSERVER_HOME
         mkdir .ssh
         chown $VIRTUALSERVER_USER:$VIRTUALSERVER_GROUP .ssh
         chmod 700 .ssh
         sudo ssh-keygen -t rsa -b 4096 -N $VIRTUALSERVER_FIELD_PASSSSH -f $VIRTUALSERVER_HOME/.ssh/mysshkey
        sudo ssh-keygen -e -f $VIRTUALSERVER_HOME/.ssh/mysshkey.pub | sudo tee /etc/proftpd/authorized_keys/$VIRTUALSERVER_USER
        echo " PASWORD SSH  =" $VIRTUALSERVER_FIELD_PASSSSH
        echo " Setting up $VIRTUALSERVER_DOM to  environment for sftp"
        echo " .. done"
  fi

if [ "$VIRTUALSERVER_ACTION" = "MODIFY_DOMAIN" ]; then


### for verify is field is not empty
    if [ "$VIRTUALSERVER_FIELD_PASSSSH" != "" ]; then

######## create new key with new password
        sudo rm -Rf $VIRTUALSERVER_HOME/.ssh
        cd $VIRTUALSERVER_HOME
        mkdir .ssh
        chown $VIRTUALSERVER_USER:$VIRTUALSERVER_GROUP .ssh
        chmod 700 .ssh
        sudo ssh-keygen -t rsa -b 4096 -N $VIRTUALSERVER_FIELD_PASSSSH -f $VIRTUALSERVER_HOME/.ssh/mysshkey
        sudo ssh-keygen -e -f $VIRTUALSERVER_HOME/.ssh/mysshkey.pub | sudo tee /etc/proftpd/authorized_keys/$VIRTUALSERVER_USER
        echo " PASWORD SSH  =" $VIRTUALSERVER_FIELD_PASSSSH
        echo " Setting New SFTP password for domain $VIRTUALSERVER_DOM to environment for sftp"
        echo " .. done"
    fi
  fi
fi