12

I've been tasked to install a new SFTP server. Per-se, this is a very simple operation: simply using the internal-sftp role of the ubiquitous SSH service (with chrooting) is sufficient to have a reliable SFTP server.

However it's in my nature to always try at least two different approach for the same problem, and I realized I can use ProFTPD with a sftp plugin to do the same thing, with the added benefit of more granular filetransfer-related options (eg: bandwidth throttling). On the other hand, this plugin is not compiled (and bundled) by default, and I would like to avoid (perhaps) "less tested" solution.

At the moment, the only required service is SFTP; however, I'm playing in advance and I would like to implement a solution which can not only work with SFTP, but with FTP/S also.

Considering that I am going to chroot users inside their homes, what do you feel is a better solution?

  1. use SSH internal-sftp and a standalone FTP server (vsftpd or proftpd) for FTP/S services
  2. only use the ProFTPD service with the relevant plugin
shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • 1
    this is probably opinion-based. If you don't use `internal-sftp` of `sshd`, you will probably have to use SFTP on different than deffault port (if you still want sshd) which is certainly usability issue. – Jakuje Apr 20 '16 at 15:07
  • Hi, thanks for your input. I'm non in search for opinions, rather for a best practice advise from someone who already evaluated the two options described. You point about the listening TCP port is right, but in this setup using a different port for SSH it's not an issue. – shodanshok Apr 20 '16 at 18:49
  • 1
    I'm not sure that "untested" is a fair judgment of ProFTPD's `mod_sftp` module; there are many sites which do in fact use it on a daily basis. – Castaglia Apr 21 '16 at 21:23
  • Thank you for comment. So is `mod_sftp` more commonly used than I though? Great. Anyway, I would not judge `mod_sftp` as untested, it was for that reason I used the quotes. I'll reword that part of the question. – shodanshok Apr 21 '16 at 21:43

2 Answers2

4

SSH's sftp server has some additional requirements for chroot directories, ie. user cant have write access to chroot dir in some enviroments this might be a problem.

If You also need ftp/ftps I would suggest giving mod_sftp a go. We are using it in production on about 20 servers with over 10k accounts with almost nil problems (sftp is the least used protocol). The downside might be that it doesn't support password authentication method, but it supports rsa key and keyboard-interactive so it is only a problem for very old clients.

Lazy404
  • 365
  • 1
  • 6
  • `20 servers with over 10k accounts` - many thanks for your report, it is much appreciated. About the difference in home's write permission, I already worked around it ;) – shodanshok May 31 '16 at 13:10
3

This is an older thread but I'd just like to add for future readers that we've been configuring servers to use proftpd with mod_sftp for years with no problems at all. I like very much that the separation of services gives fine-grained control over security, the service itself, and user management.

You can configure proftpd to support either or both passwords/keys with mod_sftp if you also include the sftp_pam module. Here's example config that enables both:

# Include all available modules
Include /etc/proftpd/modules.conf

<Global>
  <IfModule mod_sftp.c>
    <IfModule mod_sftp_pam.c>
      SFTPPAMEngine on
      SFTPPAMServiceName sftp
    </IfModule>

    SFTPEngine on
    SFTPLog /var/log/proftpd/sftp.log

    # Configure both the host keys
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    SFTPHostKey /etc/ssh/ssh_host_dsa_key

    SFTPAuthMethods publickey password keyboard-interactive
    SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

    # Enable compression
    SFTPCompression delayed
  </IfModule>
</Global>