How do I configure ProFTPD as a SFTP-only server with system users, PK auth, and custom umasks?
So, I managed to configure ProFTPD to allow password login for system users. I have two issues: umask and pk auth.
Include /etc/proftpd/modules.conf
UseIPv6 on
ServerName "Debian"
ServerType standalone
MultilineRFC2228 on
DefaultServer on
Port 21
PassivePorts 49152 49407
MaxInstances 30
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
<Global>
UseFtpUsers on
IdentLookups off
DeferWelcome off
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
DefaultRoot ~
RequireValidShell off
User proftpd
Group nogroup
Umask 007 007
AllowOverwrite on
# AuthOrder mod_sql.c
CreateHome on
TransferLog /var/log/proftpd/xferlog
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_xfer.c>
MaxStoreFileSize 70 Mb
HiddenStores on
DeleteAbortedStores on
</IfModule mod_xfer.c>
<Directory /htdocs/*/>
Umask 0007
<Limit MKD XMKD RMD XRMD SITE_CHMOD>
DenyUser !ftpadmin
</Limit>
</Directory>
</Global>
Include /etc/proftpd/sftp.conf
and sftp.conf is as follows
<IfModule mod_sftp.c>
<VirtualHost $(hostname)>
Port 23
SFTPEngine on
SFTPAuthorizedUserKeys file:/home/%u/.ssh/authorized_keys
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
SFTPCompression delayed
SFTPLog /var/log/proftpd/sftp.log
</VirtualHost>
</IfModule mod_sftp.c>
[umask] However, when a user logs in and puts a file, the uploaded file takes the permissions that it had originally (I'm testing using OS X and Linux as clients, so that makes sense). I have not tested the pure FTP solution, but I'd rather provide SFTP.
[pk auth] When I attempt a PK authentication, the client correctly offers the right key, and says
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:Eft1LIOozSylL20lfMc9gUdl3gKtd0zEdeyNtCb1p8Q
but then concludes with
debug1: Authentications that can continue: password
which confuses me to no end. On the server side, I have
no account for user 'sftpuser' found
sending userauth failure; remaining userauth methods: password
which is funny because the user does indeed exist (and can successfully perform a password login). I even converted my OpenSSH key to the RFC4716 format that ProFTPD appears to prefer.
I admit I have a grand total of about 4 hours of experience with ProFTPD, but I've been reading all I could, and the config files make sense to me. This all is running in a Docker container. What am I missing?
Answer
Unlike FTP, SFTP uploads often contain their own permissions as part of the SFTP OPEN request. To make SFTP uploads behave more like FTP uploads, with regard to ProFTPD configuration (e.g. Umask), you want to configure mod_sftp to ignore the upload permissions using the IgnoreSFTPUploadPerms SFTPOptions:
<IfModule mod_sftp.c>
...
SFTPOptions IgnoreSFTPUploadPerms
...
</IfModule>
For the publickey authentication issue, the SFTPLog you configured should have more clues as to what might be the issue. Perhaps the configured file does not exist, or does not have the necessary permissions? Keep in mind that ~/.ssh/authorized_keys is often used by OpenSSH, and that the format that file is different that what ProFTPD desires. For that reason, I often use:
SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
i.e. a different file from what OpenSSH wants, in a different format (RFC 4716), to avoid any possible confusion/collision.
Hope this helps!